Professional Documents
Culture Documents
Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 USA http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco IronPort, the Cisco logo, Cisco Nurse Connect, Cisco Pulse, Cisco SensorBase, Cisco StackPower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flipshare (Design), Flip Ultra, Flip Video, Flip Video (Design), Instant Broadband, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Capital, Cisco Capital (Design), Cisco:Financed (Stylized), Cisco Store, Flip Gift Card, and One Million Acts of Green are service marks; and Access Registrar, Aironet, AllTouch, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Lumin, Cisco Nexus, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, Continuum, EtherFast, EtherSwitch, Event Center, Explorer, Follow Me Browsing, GainMaker, iLYNX, IOS, iPhone, IronPort, the IronPort logo, Laser Link, LightStream, Linksys, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, PCNow, PIX, PowerKEY, PowerPanels, PowerTV, PowerTV (Design), PowerVu, Prisma, ProConnect, ROSA, SenderBase, SMARTnet, Spectrum Expert, StackWise, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries. All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0910R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental. Networking Primer for Small Businesses 2009 Cisco Systems, Inc. All rights reserved.
CONTENTS
Preface
ix ix ix x x xii
Overview Audience
Organization
Related Documentation
CHAPTER
Overview
Computer Networks and their Advantages Computer Network for a Small Business
1-6
CHAPTER
2-1
OSI Model of Data Communication 2-3 Overview 2-3 OSI Model Layers 2-3 Layer 1Physical Layer 2-4 Layer 2Data Link Layer 2-5 Layer 3Network Layer 2-5 Layer 4Transport layer 2-5 Layer 5Session Layer 2-6 Layer 6Presentation Layer 2-6 Layer 7Application Layer 2-6
3
CHAPTER
3-1 3-1
Comparing the OSI Model and the TCP/IP Protocol Suite TCP/IP Physical and Data Link Layers 3-3 Local Area Network Technology (Layer 1 and 2) Ethernet Physical Layer (Layer 1) 3-4 Ethernet Data Link Layer (Layer 2) 3-4
3-3
iii
Contents
CSMA/CD Technology 3-5 LAN Transmission Methods 3-5 LAN Topologies and Components 3-6 Ethernet Switch and Its Functions 3-6 Virtual LANs 3-7 Switch Port Modes 3-8 Spanning Tree Protocol 3-9 Rapid Spanning Tree Protocol 3-10 TCP/IP Network Layer 3-11 IP Version 4 and IP Version 6 IP Packet 3-11 Data Transfer in IP Networks 3-12 IP Address Classes 3-13 Private IP Addresses 3-14 Network Masks 3-15 IP Subnetting 3-15 TCP/IP Transport Layer
4
3-16 3-11
CHAPTER
Protocols and Features Used in a TCP/IP Network Routing and Routing Protocols Static Routing 4-2 Dynamic Routing 4-2 Address Resolution Protocol Dynamic Host Control Protocol Domain Name System Dynamic DNS
4-6 4-5 4-1
4-1
4-3 4-4
CHAPTER
Network Architecture for a Small Business Small Business Network Topology Local Area Network 5-2 Wide Area Network 5-3
5-1
5-1
Ethernet Switches 5-4 Ethernet Interface Types and Operating Modes IP Multicast and IGMP Snooping 5-5 Managed and Unmanaged Switches 5-5 Layer 3 Switching 5-5 Power over Ethernet 5-6 Quality of Service in a Switch 5-6
5-4
iv
Contents
LAN High Availability 5-7 Switch Stack 5-7 Link Aggregation (EtherChannel) 5-7 Switch Security 5-7 Port Security 5-8 BPDU Guard 5-8 Storm Control 5-8 Port-Based Network Access Control (802.1x) WAN Routers 5-9 WAN Router with Integrated Switch 5-9 WAN Interface and Connection Types 5-10 Router DHCP Server 5-10 Router Authentication Server 5-10 WAN Router Security 5-11 Intrusion Prevention System 5-11 Guest Access 5-11 Spam Blocking 5-11 URL Filtering 5-11 Content Filtering 5-12 WAN Router Quality of Service 5-12 WAN Router High Availability 5-12 Redundant WAN Links 5-12 Link Aggregation 5-12 Hot Standby Router Protocol 5-13 Network Address Translation 5-13 Why NAT? 5-13 How NAT Works 5-14 Port Address Translation 5-16 Static NAT 5-16 NAT Inside the Payload 5-16 Network Management 5-17 Web-Based Management Tools 5-17 Command-Line Interface 5-17 Simple Network Management Protocol 5-18 WAN Router Universal Plug and Play 5-18 Other Management Tools 5-18
6
5-9
CHAPTER
6-1
Contents
CHAPTER
7-1
Wireless Devices 7-1 Wireless Access Point 7-1 Wireless LAN Controller 7-2 Separate VLANs for Wireless Traffic Quality of Service
7-2 7-2
APPENDIX
A-1
A-2
QoS in a Switch
A-6
Advanced QoS A-7 Hierarchical Queuing A-7 Weighted Random Early Detection
B
A-7
APPENDIX
Network Security
B-1 B-1
Infrastructure Protection
Firewall Policy Enforcement B-2 Firewall Policies for Internet Access Firewall Policies for the DMZ B-4 Additional Firewall Zones B-5 Enhanced Stateful Packet Inspection Mitigating DoS Attacks
Network Primer for Small Businesses
B-4
B-5 B-6
vi
Contents
APPENDIX
C-1
Basic Cryptographic Procedures C-2 Preshared Key C-2 RSA C-2 Cryptographic Hash Function C-2 Hash-Based Message Authentication Code X.509 Digital Certificate C-3 Diffie-Hellman Key Exchange C-3 Encryption C-4 IPSec Technology
C-4
C-3
Virtual Private Network for Small Businesses C-7 IP Sec Site-to-Site VPN for Remote Office C-7 IPSec Remote Access VPN for Home Office and Mobile Workers SSL VPN for Mobile Worker C-7
INDEX
C-7
vii
Preface
This preface contains the following sections:
Overview, page ix Audience, page ix Organization, page x Related Documentation, page x Obtaining Documentation, Obtaining Support, and Security Guidelines, page xii
Overview
This network primer is intended for anyone who wants to get a basic understanding of computer networks, particularly the kind of networks that are most useful for small businesses. This document is written for anyone who wants a basic understanding of networking technologies, devices, their important features, and their impact on a small business network. No prior knowledge of computer network technology is required. As more and more business functions within a small business are computerized, the quality of the computer network affects the business more than ever before. This primer describes the networking technology required to meet the needs of small businesses, especially in regard to the following business considerations:
Audience
This document is written for junior technical personnel, or as a refresher in the basics of networking for networking administrators, designers, or implementation engineers. Although this document is highly recommended, it may not be required for experienced technical personnel who are already familiar with networking technology.
ix
Organization
The following table summarizes how this document is organized and the purpose of each chapter and appendix: Chapter Chapter 1: Overview Purpose This chapter provides an introduction to the document, defining the goals a small business typically seeks to achieve through computer networking, and defining basic terms and concepts used throughout the document.
Chapter 2: Data Communication This chapter introduces general data communication concepts such in a Computer Network as binary data representation for data storage and transfer, IP addressing, subnets, and OSI layers. This chapter can be skipped if the reader is already familiar with these concepts. Chapter 3: TCP/IP Protocol Suite This chapter describes the TCP/IP protocol suite, which is the standard for implementation and deployment of computer networks worldwide.
Chapter 4: Other Protocols Used This chapter describes the most important of the various other in a TCP/IP Network protocols that are commonly used in the TCP/IP network. Chapter 5: Small Business Network Architecture This chapter describes a small business network architecture in terms of the network components such as switches and routers, their connections, and their roles. In addition, it provides details of some of their functionality that are important for a small business network. This chapter describes specific aspects of the network infrastructure required for implementation of IP telephony including VLAN and QoS. A complete description of IP telephony design is outside the scope of this document. This chapter provides a short description of the wired infrastructure required for implementing a wireless LAN (WLAN). A complete description of wireless LAN implementation is outside the scope of this document. This appendix provides a further discussion of quality of service (QoS) concepts and mechanisms. This appendix describes network security, which is critical to protect a business and its resources from various threats, such as viruses, worms, and denial-of-service (DoS) attacks. The security of sensitive data transmitted between employees of a business over a shared public network, such as the Internet, is critical to the business. This appendix describes Virtual Private Network (VPN) technology, which can help ensure data security.
Related Documentation
Figure 1 illustrates the relationship between the various documents available for deploying network implementations based on the recommended architecture:
Figure 1
This document
Design Guide For technical decision makers / network designers / network implementers
Smart network design and implementations are described in the following series of task-oriented documents, each with a specific purpose: Network Primer for Small Businesses (this document) Presents an introduction to basic networking concepts for junior technical personnel, or as a refresher in the basics of networking for networking administrators, designers, or implementation engineers. Although this document is highly recommended, it may not be required for experienced technical personnel who are already familiar with networking technology. Network Design GuidesDescribe a network design suitable for small businesses, including several typical variations in network topology and supported functionality. This document is primarily written for network designers, senior technical personnel, and network implementation engineers. This document assumes that the reader is already familiar with basic networking concepts, as described in the Network Primer for Small Businesses. Implementation GuidesProvide guidance for a full or partial implementation of the design using specific hardware. Several implementation guides are available for use with the SNF Network Design Guide. For example, one implementation guide focuses on providing basic network functionality, such as Internet access, using a specific Cisco ISR router. A different implementation guide, which may use a different router, describes how to add support for hosted Internet servers, such as web or e-mail servers. Application NotesDescribe how to add a specific service, such as a site-to-site VPN or an Intrusion Prevention System (IPS), to the basic implementation. Ordering GuidesDescribe the specific hardware and software required to deploy a network using the appropriate implementation guide.
Note
For a complete list of SNF documents, see the following website: http://www.cisco.com/go/partner/smartdesigns
213088
xi
xii
CH A P T E R
Overview
This chapter provides an introduction to the document, identifies the goals a small business typically seeks to achieve through computer networking, and defines basic terms and concepts used throughout the document. It includes the following sections:
Computer Networks and their Advantages, page 1-1 Business Locations of a Small Business Network, page 1-3 Computer Network for a Small Business, page 1-5 Small Business Network Architecture and Components, page 1-6
PCs and laptops IP phones Video cameras Data center computers running various business applications Printers FAX machines Point-of-sale equipment Data storage devices
Deployment of computer networks has evolved to a stage where it is now treated as an essential part of a business infrastructure. Computer networks help businesses to be competitive and profitable by providing quick and efficient information collection, storage, retrieval, analysis, and sharing, as described below. Improved employee collaborationThe network helps employees retrieve and share information and ideas easily, at electronic speed. Ubiquitous e-mail applications, messaging applications, and social networking over the Internet are possible due to computer networks. Computer networking helps an employee check the availability of other employees, and set up web-based meetings with participants dispersed over a wide area. Advanced collaboration tools such as audio and video conferencing, and real-time file sharing save time and money.
1-1
Overview
Improved business process efficiencyA computer network can help streamline business processes and make them more efficient. Any information recorded by a business process can be automatically available to other business processes instantly through the network, which greatly improves efficiency. The network also improves business process accuracy by preventing the duplication of information. A single copy of the information can be shared over the network, which helps ensure consistency among all the business applications that use the data. Improved collaboration with business partnersBusiness partners can complete transactions with a small business over the computer network, which improves collaboration and efficiency. Applications, such as web-based multimedia conferencing, e-mail, and messaging, supplement various business-specific collaboration applications to simplify interbusiness collaboration. Improved customer relationCustomers can communicate efficiently over the Internet to complete transactions, get business information, and provide feedback. Internet-based interaction with customers is an important service provided by a business that saves time and money for both the business and the customers. Resource sharingThe network can reduce cost by sharing office resources over the network. For example, resources such as printers and network storage devices can be shared among groups of employees. Similarly, computer software cost may be reduced by installing a single copy of the software on a server. This software can then be used remotely over the network by various users, as allowed by the terms of the software license agreement. This can reduce the direct software cost as well as cost of installation and administration. Also, the network allows standardization of a single software version, which minimizes software compatibility issues. A computer network allows an administrator to administer all computers from a single location, without having to be physically present near each individual computer. Secure management of sensitive informationA properly designed computer network helps control access to network resources and information. Worldwide, instantaneous access to informationA small business can disseminate business information globally simply by including it in its web pages. This is one of the simplest ways to advertise services and distribute business information to locations throughout the entire world.
1-2
Chapter 1
Internet
Small business with internet access
IP IP IP IP
As business demands grow, the network may be expanded through secure connectivity with remote offices, home offices, and mobile workers, as shown in Figure 1-2. The various types of small business office locations in this expanded network are described below. Main OfficeThe primary location containing most the shared data and networking resources, such as files, databases, business servers, web servers, and e-mail servers. Typically, the main office is also the primary business location. If a small business has a single location, that location is its main office. Remote OfficeA satellite business location connected to the main office either using a leased line (WAN), or over the Internet.
A remote office typically has a smaller number of employees, compared to the main office. The remote office network has a WAN router and additional network devices such switches. It is atypical for remote offices to host web services, or any other services accessible to the public Internet. Such services, when deployed, are typically located at the main office. A remote office is typically connected to the Internet and other locations with a broadband link or a leased line.
213055
1-3
Overview
Figure 1-2
Via internet
IP IP IP IP
Home office
IP
Home OfficeA home office is a residential location from which the employee can conduct business activities by securely connecting to the main office or remote office.
A home office network has a WAN router. It may also have additional network devices, such as switches. Devices that can be attached to the home office network include PCs, laptops, and IP telephones. Home offices typically use broadband links for Internet access and connections with other offices.
Mobile WorkerA mobile worker securely accesses the office network through the Internet by establishing a virtual private network (VPN) connection from a laptop. To gain Internet access, a mobile worker may use any available public or private network offering such access, such as those available at airports, hotels, and public Wi-Fi spots, or an employee residence.
A mobile worker does not need to have any network equipment, such as a router or a switch. A mobile worker does not have a permanent connection to the office network. The mobile worker typically establishes a VPN connection to the office network as needed. A mobile worker typically travels only with a laptop, and does not use an IP telephone. However, the mobile worker can use a softphone, which is software installed on a laptop or other computer that simulates an IP phone. Some small businesses may treat contractors as mobile workers, which allows restricting access to network resources.
1-4
213056
Via internet
Chapter 1
The key difference between a home office and a mobile worker is that the home office has a permanent VPN connection between the home office router and the main office. The mobile worker establishes a VPN connection as needed directly between a laptop and the main office.
Access to the Internet. Employee communication using applications such as e-mail and messaging. Running or interoperating with business-specific applications, such as order entry, order processing, and financial applications. Secure access by authorized employees to sensitive company resources, such as business data, payroll information, and so forth. Business partner collaboration over the Internet. Public access to general company resources, such as the company website and ordering site. IP telephony, which offers more cost-effective and flexible telephony options. Data storage and sharing using Network Attached Storage (NAS) devices. Video applications, such as video surveillance. Wireless network access integrated with the wired computer network to provide employee mobility within the office. Unified communication and collaboration applications, including audio, video, and other media. Unified communication allows employees, business partners, and customers to collaborate with a combination of voice, video, and data applications from an office or remote locations, such as airports, hotels, warehouses, or vehicles using wired or wireless connections. Without unified communication, employees must master a variety of tools to communicate effectively over the network. Cisco Unified Communications integrates applications to provide simple, and even one-click access to a variety of applications. Examples include a directory lookup application that automatically launches other applications such as a one-click telephone call or messaging, or a messaging application that launches a conferencing application.
Secure connectivity for remote offices, home office, and mobile workers using VPNs.
A network for a small business, whether it provides basic Internet access or offers more sophisticated audio and video services, must maintain some essential characteristics:
1-5
Overview
LAN WAN Shared devices and servers Public switched telephone network (PSTN) connection (optional)
Figure 1-3 illustrates two network topologies that are suitable for most small businesses, and which form the basis for most of the discussions in this document.
Figure 1-3 Small Business Network Components
PSTN
PC / laptops
IP
IP
IP
IP phones
The simplest small business network, shown on the left side of the figure, provides Internet access to network users. It assumes that applications such as e-mail and messaging services are provided by the Internet Service Provider (ISP). The network illustrated on the right side of the figure shows a more sophisticated network, which can provide local services, such as IP telephony, and host local servers, such as web servers, e-mail servers, and other servers as required by the network infrastructure, such as an IP telephony server. The components of a small business network have the following functions: Local area network (LAN)Interconnects all local devices, such as PCs, laptops, IP telephones, business servers, shared printers, shared storage devices, and video surveillance cameras.
The main networking device used within a LAN is known as a switch. Although there are various types of switches, the small office network LAN uses a switch with Ethernet technology for data communication (for further information, see the Ethernet Switch and Its Functions section on page 3-6).
1-6
213057
Chapter 1
A LAN allows connected devices to communicate at high speeds, such as 10, 100, or 1000 megabits per second (Mbps). This allows for fast communication among employees, and easy access to business servers and other shared resources, such as printers and storage devices. All end-user devices such as PCs, laptops, IP telephones, printers, scanners, and business-specific devices (such as weighing machines and cash registers) are attached to the LAN. A LAN imposes a limit on how far apart the connected devices can be. This usually means that the boundary of a LAN should lie within a building or at most be limited to few adjacent buildings. Most small business offices do not extend beyond a couple of buildings. Therefore, it is typical for a small business network to have a single LAN.
Wireless LANA wireless LAN connects multiple wireless-enabled devices, such as laptops and wireless IP phones to the wired LAN. A wireless LAN uses specialized devices, such as a Wireless Access Point (AP) and a Wireless LAN Controller. This document focuses on wired LAN technology. However, Chapter 7, Infrastructure Requirement for Wireless LAN does discuss the wired infrastructure requirements for deploying a wireless LAN. Wide area networkA WAN interconnects devices that are distributed geographically. In a small business network, the devices within each office location are connected by a LAN, and the WAN is used to interconnect the various LANs. As shown in Figure 1-3, the router WAN interface is connected to the Internet or directly to another business location over a WAN that is owned and operated by a service provider.
A small business network uses the WAN to connect to the Internet, remote offices, home offices, and mobile workers. The basic networking device used in the WAN is called a router. A router may provide additional capabilities related to advanced security and voice, and so may also function as a security appliance or a unified communication device. A WAN may use many technologies for data communication. These include, but are not limited to, the following:
Ethernet ADSL G. SHDSL ISDN 3G wireless DSL over ISDN ATM Frame Relay PSTN Leased lineA leased line is a private high-performance circuit leased from a service provider that can be used to connect directly to another location (private WAN link). Internet connectionInternet access can be provided over cable or telephone wires using broadband technologies such as DSL or ISDN. Internet access can also be provided by other technologies, such as T1/E1 links. Internet access is not dedicated to a single destination, and can be used for data communication with any other site or user connected to the Internet.
The main differences between these two WAN connection types are summarized in Table 1-1.
1-7
Overview
Both leased line and Internet connections are useful for small businesses. Leased lines are more expensive, but they provide guaranteed bandwidth with low data loss and jitter and therefore are better for business-class voice and video. Typically, Internet connections do not offer any minimum bandwidth guarantee, and can drop packets. Internet connections are sufficient if Internet access is the only service supported, or if best effort voice and video is acceptable. Public switched telephone network (PSTN) ConnectionA small business typically uses the PSTN in parallel with its IP telephone network to connect with telephones outside the IP telephony network. Application serversServers are computers that run various business applications, such as web servers, e-mail servers, and computers that run business-specific applications. These use the network infrastructure for data communication. Some of these servers, such as those hosting the small business website, are accessible from the public Internet. Network infrastructure serversNetwork infrastructure servers run applications that let the network run properly, such as authentication (RADIUS) servers, servers that dynamically assign IP addresses to other devices (DHCP), servers that control IP telephone calls (such as Cisco Unified Communications Manager), and servers that map device IP addresses with domain names (DNS server).
Note
Simplifying the small business network reduces the number of devices and the amount of administrative overhead. Some WAN routers can help by integrating the function of one or more network infrastructure servers, so that a separate server is not required. The network also connects other shared devices accessible to multiple users, such as network attached storage (NAS) devices, print servers, fax machines, and video surveillance cameras.
Table 1-1 WAN Connection Types
Private WAN Link Who provides the service? Destination of traffic Service provider
Internet Access Internet service provider (ISP) Traffic can be directed to any location connected to the Internet xDSL, Cable, T1/E1, T3/E3, DS3, ISDN, Ethernet
Remark The same provider can provide both types of WAN connection
Dedicated connection between predetermined sites T1/E1, T3/E3, DS3, Frame Relay, Ethernet
Other WAN technologies, such as ATM, are not typically used by small businesses
Data security
Secure to a large extent Not secure, unless used Private WAN links with VPN or other types (leased line) are secure of encryption to the extent that data is isolated from other leased lines, but data is not encrypted Typically guaranteed bandwidth, with low data loss Typically no end-to-end guarantee on bandwidth or data loss
Service quality
1-8
Chapter 1
Table 1-1
Remark Cost depends on several factors, such as speed, maximum delay, reliability, repair time, and so forth Internet is a best effort network, meaning that packets can get lost or delayed. As a result, only best effort voice and video is possible.
Application suitability
1-9
Overview
1-10
CH A P T E R
Data Representation and Transfer, page 2-1 OSI Model of Data Communication, page 2-3
2-1
Figure 2-1
Byte 1
Byte 2
Byte 3
Byte 4
Byte 5
As Figure 2-1 shows, the ASCII character H is encoded as the decimal number 72. The decimal number 72 is equivalent to the binary number 01001000. Often, hexadecimal numbers (numbers with a base of 16) are used as a concise way to represent binary numbers. The digits from 10 to 15 are represented by the letters A to F. A 4-digit group of binary numbers can be represented by a single hexadecimal number from 0 to F. To convert a binary number to a hexadecimal number, you divide the binary number into 4-digit groups and then assign a hexadecimal number to each group. For example, the AXCII character H has a binary value of 01001000 and a hexadecimal value of 48, calculated as follows:
01001000 has two 4-digit groups: 0100 and 1000 binary 0100 = hexadecimal 4 binary 1000 = hexadecimal 8
As Figure 2-1 shows, the entire word HELLO is represented in hexadecimal as 48 69 4C 4C 4F. In addition to ACSII, other encoding schemes exist such as Extended Binary Coded Decimal Interchange Code (EBCDIC), which is a similar system of encoding information as binary data, but which assigns different letters to the same binary digits. When a computer sends data bytes over an electrical cable, the source computer network interface converts the bits into the appropriate energy signals. If an optical cable is used, the bits are converted into the appropriate optical signals. A wireless interface converts the bits into electromagnetic waves. The destination device receives the signals and converts them into the original binary digits and the corresponding data bytes.
2-2
213058
Chapter 2
Overview, page 2-3 OSI Model Layers, page 2-3 Layer 1Physical Layer, page 2-4 Layer 2Data Link Layer, page 2-5 Layer 3Network Layer, page 2-5 Layer 4Transport layer, page 2-5 Layer 5Session Layer, page 2-6 Layer 6Presentation Layer, page 2-6 Layer 7Application Layer, page 2-6
Overview
The OSI reference model is a network architectural model for data communications developed by the International Standards Organization (ISO) and the Telecommunication Standardization Sector (ITU-T). The OSI model divides the data communication process into seven separate groups of functions called layers. The seven layers of the OSI model address various functions, including the following:
How to identify a network device or end node (addressing) How to control the rate of data transfer between the source and destination so that a fast sender does not send more traffic than the receiver can handle (flow control) How to identify transmission errors and recover from them What additional information to send along with the data (encapsulating the data) to help the network devices to forward the traffic How to transfer messages reliably
The OSI model is a great way to learn the intricacies of data communication, conduct academic research, and to provide a consistent set of terms to help disseminate technical information. However, it is rarely implemented in actual network devices today. The TCP/IP protocol suite, described in Chapter 3, TCP/IP Protocol Suite, is the protocol stack that is actually used in data networks today. It has a similar, but simpler, architectural model, providing only five layers of networking functions.
2-3
When a computer application, such as an e-mail program, sends data to another computer, the data is encapsulated within each successive layer by the operating system software. Each layer provides a specific set of functions required for transferring the data efficiently over the physical network media. Figure 2-2 shows the seven layers of the OSI model and shows how layer-specific headers are added, in a process called encapsulation, at the source, and removed at the destination (decapsulation) by the software running at each OSI layer.
Figure 2-2 Seven Layers of the OSI Model
Source
Application layer protocol DATA Application Presentation layer protocol DATA Presentation Session layer protocol SH DATA Session Transport layer protocol TH SH DATA Transport Network layer protocol NH TH SH DATA Network Data link layer protocol DH NH TH SH DATA Data link Physical layer protocol DH NH TH SH DATA Physical Physical Data link Network Session
Destination
Application
DATA
Presentation
DATA
SH DATA
Transport
TH SH DATA
NH TH SH DATA
DH NH TH SH DATA
DH NH TH SH DATA
213059
SH : Session layer header, TH : Transport layer header, NH : Network layer header, DH : Data link layer header
Conversion of data bits to electrical or optical signals Electrical or optical characteristics of the cable Type of connector, including the number and arrangement of the pins
A single network device can support various types of physical links, such as the different flavors of Ethernet, but each type requires its corresponding physical layer.
2-4
Chapter 2
Detection of data corruption Coordination of data transfer across a shared link when multiple devices transfer data using the link Use of data link layer addresses to identify individual network devices attached to a single link (for example, the Ethernet MAC address)
The data link layer adds the information required to perform these functions to the data being transmitted, such as the Layer 2 destination and source addresses, which are required to correctly deliver the packet. The additional information added to the data is called the data link header.
Finding a path to the destination Error reporting Congestion control Reassembly of a packet if the network has to fragment it for transmission
2-5
2-6
CH A P T E R
Comparing the OSI Model and the TCP/IP Protocol Suite, page 3-1 Local Area Network Technology (Layer 1 and 2), page 3-3 TCP/IP Network Layer, page 3-11 Data Transfer in IP Networks, page 3-12 TCP/IP Transport Layer, page 3-16
3-1
Chapter 3 Comparing the OSI Model and the TCP/IP Protocol Suite
Table 3-1
TCP/IP Layer Application layer (e-mail, Telnet, web browsers, and so forth.) Application layer (OSI presentation layer functionality, if implemented, is performed by the application layer) Application layer (OSI session layer functionality, if implemented, is mostly performed by the application layer, except that packet sequencing is performed by the TCP/IP transport layer) Transport layer Example: Transmission Control Protocol (TCP) or User Datagram Protocol (UDP)
Session layer
Transport layer
Network layer Example: Internet Protocol (IP) Data Link layer. Depends on physical layer used. Physical layer Examples: Different types of Ethernet (10BASE-T, 10BASE2, 10BASE5, 100BASE-TX, 100BASE-FX, 100BASE-T, 1000BASE-T, 1000BASE-SX), ISDN, DSL, and so forth.
The actual TCP/IP network protocol stack is included with the specific operating system, such as Windows, MacOS, Linux, UNIX, or Cisco IOS software. Figure 3-1 illustrates how data being sent on an Ethernet network from an application running on a computer to another application on a destination computer is processed by different layers of the TCP/IP protocol suite running on each computer. Although the figure shows TCP as the transport protocol, UDP is also frequently used where faster transmission at the expense of reliability is required.
Figure 3-1 TCP/IP Protocol Stack Example
Destination computer Application layer
TCP header IP header Ethernet header DATA TCP header IP header Ethernet header TCP DATA
Source computer
DATA TCP DATA
Layer 4 Transport layer Layer 3 IP layer Layer 2 Data link layer Layer 1 Physical layer
Ethernet DATA
Ethernet DATA
3-2
Chapter 3
When a computer application, such as an e-mail program, sends data to another computer, the data is subjected to processing by the multiple TCP/IP layers starting with the application layer. The application layer forwards the data to the transport layer, the transport layer adds its header and passes the packet to the network layer and so on, until finally the physical layer receives the data and transmits it as a sequence of bits. The physical layer of the receiving computer receives the bits, and forwards them to the data link layer. The data link layer removes the Layer 2 header and forwards the packet to the network layer. The network layer similarly removes the Layer 3 header and hands the data to the transport layer. The transport layer then hands the data to the application program after removing the transport layer header.
Local Area Network Technology (Layer 1 and 2), page 3-3 Ethernet Physical Layer (Layer 1), page 3-4 Ethernet Data Link Layer (Layer 2), page 3-4 CSMA/CD Technology, page 3-5 LAN Transmission Methods, page 3-5 LAN Topologies and Components, page 3-6 Virtual LANs, page 3-7 Switch Port Modes, page 3-8 Spanning Tree Protocol, page 3-9 Rapid Spanning Tree Protocol, page 3-10
3-3
This document focuses on Ethernet LANs because that is the type of LAN used by most small businesses. Other LAN technologies, such as Token Ring, are far less common and are rarely implemented by small businesses. Wireless LANs (WLANs) are beyond the scope of this document, but Chapter 7, Infrastructure Requirement for Wireless LAN describes the wired LAN requirements for implementing a WLAN. An Ethernet LAN is composed of devices having Ethernet network interface cards (NICs) and one or more switches, interconnected through Ethernet cables. In an Ethernet LAN, each end user device, such as a laptop or a server, is connected by an Ethernet cable to a switch in the LAN. When any end-user device sends data to another device, the switch to which it is connected directs the data to the next switch, and this is repeated until the data reaches its destination. Ethernet provides both physical layer protocols and data link layer protocols, which are described in the following sections.
10BASE-TCategory 3 or 5 cable having four wires (two twisted pairs of copper wires). Supports maximum bandwidth of 10 megabits per second (Mbps). 100BASE-TCategory 5 cable having four wires (two twisted pairs of copper wires). Supports maximum bandwidth of 100 Mbps. Also called Fast Ethernet. 1000BASE-TCategory 5 copper cable. Maximum bandwidth is 1 gigabit per second (Gbps). 1000BASE-FXFiber cable. Maximum bandwidth is 1 Gbps. 1000BASE-SXFiber cable. Maximum bandwidth is 1 Gbps. 1000BASE-LXFiber cable optimized for large distance. Maximum bandwidth 1 Gbps.
Assigns a data link layer address to each device, known as the MAC address Transmits data frames from the source to the destination over the physical media Performs transmission error detection
The manufacturer of every Ethernet device permanently assigns the Ethernet MAC address, which is also called the manufacturers hardware address, to the Ethernet hardware interface within the device. For example, the Ethernet port on every laptop has a unique MAC address, and so does each Ethernet port on every router, switch, and server. MAC addresses must be unique; no two devices should have the same MAC address. A MAC address is a 48-bit long binary number, typically written as a series of six hexadecimal numbers, such as the following:
00.13.E8.DD.47.76
When an IP packet is transferred over an Ethernet network, the Layer 3 (network layer) IP header is encapsulated within the Layer 2 (data link layer) Ethernet header, and it is the Ethernet header that allows the Ethernet frame to be directed to the destination MAC address. The Ethernet header contains the source and destination MAC addresses, along with additional information used by the data link layer.
3-4
Chapter 3
CSMA/CD Technology
In an Ethernet LAN, multiple devices, such as laptops, can be connected to a single Ethernet cable. Because multiple devices cannot talk on the network simultaneously, an Ethernet LAN must use some kind of mechanism that ensures that only one device sends data over the Ethernet cable at a time. This mechanism is built in to the Ethernet LAN hardware, and is called Carrier Sense Multiple Access Collision Detect (CSMA/CD). With CSMA/CD, network devices connected to an Ethernet LAN cable (segment) contend for using the cable to send data. When a device has data to send, it first listens to see if any other device is currently using the network. If not, it starts sending its data. After finishing its transmission, it listens again to see if a collision occurred. A collision occurs when two devices send data simultaneously. When a collision occurs, each device waits a random length of time before resending its data to minimize the possibility of another collision. An Ethernet LAN segment, within which the connected devices compete for access, is called a collision domain. The busier a network becomes, the more collisions occur, so the performance of an Ethernet network degrades rapidly as the number of devices on a single network segment increases. One way to improve LAN performance is to use an Ethernet switch to segment the LAN into multiple collision domains, as shown in Figure 3-2.
Figure 3-2 Switch Interconnects Multiple Collision Domains
Collision domain 2 Collision domain 3
Collision domain 1
Switch
Collision domain 5
Collision domain 4
213061
Using a switch in this way reduces the number of devices per network segment that must contend for the Ethernet media. By creating smaller collision domains, the performance of a LAN can be increased significantly.
Unicast transmissionSingle packet is sent from a source to a single destination on a network based on the specific destination MAC address. Most data transfers in a LAN are unicast. Broadcast transmissionSingle data packet from a source is copied and sent to all devices on the network. The packet destination MAC address has a special format, called the broadcast MAC address. When the packet is sent, the network sends the packet to every station on the network. Multicast transmissionSingle data packet from a source is sent to a specific subset of devices on the network. The packet destination MAC address has a special format, called the multicast MAC address. When the packet is sent, the network sends a copy of the packet to each station that is a receiver of the multicast address.
3-5
Note
A router connects one LAN to another LAN or WAN. Therefore, the LAN interfaces of a router are also technically part of the LAN. Modern Ethernet LANs use the star topology shown in Figure 3-3. In a star topology, multiple Ethernet segments are connected to a central device, which in modern LANs is a switch, but which theoretically could also be a hub. All connections in a star topology are point-to-point, which means that each device is connected to the switch over a separate Ethernet cable.
Figure 3-3 Star Topology LAN
PC
IP Switch
Printer
IP phone
IP
Laptop
Fax
213062
In the past, an Ethernet LAN might use a hub as the central connecting device in a star topology. However, a hub is not as efficient as a switch, and it is therefore no longer recommended. A hub is simply a multi-port repeater, which interconnects multiple Ethernet segments. A hub simply passes on (repeats) the frames it receives through all its ports, so that all devices connected to the hub receive the frame. Only the intended destination uses the frame, while the rest of the devices simply discard the frame. Therefore a hub generates a lot of unnecessary traffic in the LAN, which reduces the effective bandwidth of the LAN.
3-6
Chapter 3
Figure 3-4
Ethernet Switch
First a switch listens, and when it receives a frame, it learns the port and the source MAC address of the frame, which is the MAC address of the external device that sent the frame. Over a period of time, as the switch receives traffic, it builds a table that maps the MAC address of each external device to the port that is either connected to the device or that provides a path to the device through another switch. When a switch receives a frame, it looks up the destination MAC address on this table. If the destination MAC address is on the table, the switch forwards the frame through the associated port. However, the destination MAC address is not on the table if the destination device has not previously sent at least one frame through the switch. In this case, the switch sends the received frame as a broadcast through all its interfaces, which is called flooding. When the switch receives a response from the destination device through a specific port, the switch maps the source address of the new device to this port. Subsequent traffic to this device is then forwarded through this single port. Because a switch learns the addresses of all its connected devices over a period of time, it reduces the generation of unnecessary duplicate frames, and this leads to improved LAN performance compared to a hub. In addition, a switch can simultaneously forward traffic between multiple pairs of devices, which increases the overall network bandwidth. Having fewer devices on an Ethernet segment improves network performance by reducing collisions. Therefore, it is recommended to connect a switch port to a single device, or to an IP phone and laptop (or other PC) belonging to a single user. To summarize, the following are the recommendations for optimal network performance:
Use a switch in a LAN rather than a hub. Connect only one user or another switch to a switch port.
Virtual LANs
Virtual LANs (VLANs) divide a LAN into multiple logical LANs. Each VLAN creates a separate Ethernet broadcast domain that separates traffic from other VLANs. VLANs are useful when it is necessary to separate groups of users connected to the same physical LAN segment. For example, the accounting department may need to ensure that network traffic from the accounting servers is not received by users outside their department. In this case, users and servers in the accounting department can be placed in a separate VLAN.
213063
3-7
A VLAN is identified by a number, but a name may be assigned to clarify the purpose of the VLAN. A new switch, by default, assigns VLAN 1, called the native VLAN, to all its switch ports so that traffic can flow between any pair of ports when the switch is enabled. When the switch is configured, the network administrator creates additional VLANs, assigns each VLAN a number, and assigns ports on the switch to the VLAN. For example, ports connected to all the users and servers in the accounting department might be assigned to VLAN 50, given the name accounting. Sales departments users and servers can be assigned to VLAN 51, named sales, and managers can be assigned to VLAN 52, named managers. The same port can be assigned to more than one VLAN. After ports are assigned VLAN numbers, a switch allows traffic to flow only between ports of the same VLAN. In Figure 3-5, for example, the switch allows a frame received on a port in VLAN 50 to be sent to any device connected to any other port in VLAN 50.
Figure 3-5 Segmenting a LAN into Multiple Virtual LANs
Switch
VLAN for Managers Department VLAN number = 52, VLAN name = managers
VLAN for Accounts Department VLAN number = 50, VLAN name = accounts
Recall that a switch sends a broadcast frame to all its ports. However, because each VLAN is a separate logical LAN, broadcasts in a VLAN are restricted to the ports within a single VLAN, and therefore do not affect other ports on the switch. In this way, a VLAN defines a separate broadcast domain within a switched network. Well-designed VLANs segment the network into multiple smaller broadcast domains, which can further improve overall network performance, as well as enhancing security and ease of administration.
3-8
213066
Chapter 3
The IEEE 802.1Q standard specifies the format for Ethernet frames when the frame is sent through a trunk port. Such a trunk link is often called an 802.1q trunk. The standard Ethernet frame format is enhanced to include a special field that carries the VLAN number of the frame. This enables the receiver to distinguish between traffic belonging to different VLANs. For example, the network shown in Figure 3-6 has two VLANs:
VLAN 31 (DATA VLAN)Traffic from laptops and PCs VLAN 41 (Voice VLAN)IP telephone traffic
All the laptops are connected to access ports on the switches that are placed in VLAN 31 (or DATA VLAN). Similarly, all IP telephones are attached to access ports in VLAN 41 (Voice VLAN). The inter-switch link and the link to the WAN router are 802.1q trunks. Each trunk carries traffic of both VLANs.
Figure 3-6 VLANs, Access Ports , and Trunk Ports
WAN Router
802.1Q Trunk 10/100/1000 Mbps Aggregation Switch 802.1Q Trunk 10/100/1000 Mbps Access Switch
V
802.1Q Trunk (carries both DATA & Voice VLANs) 10/100/1000 Mbps
V
Voice VLAN (VLAN 41)
Access Switch DATA VLAN (VLAN 31) Voice VLAN (VLAN 41)
213067
IP
IP
IP
Figure 3-6 shows user computers and IP Phones in separate VLANs, connected to separate ports on the switch. However, for every person having both devices, two separate cables are required from a desk to the nearest switch, which could be hundreds of feet away. To reduce the number of cables, some advanced IP phones use an internal switch. In this case, the laptop is connected to the switch in the IP phone and the IP phone forwards traffic of both DATA and Voice VLANs to the access switch through a single cable. Therefore the connection between the IP Phone and the access switch can be an 801.1q trunk. However, some vendors support the use of an access link by tagging the data and voice frames in a specific way.
3-9
devices. Redundant links are required in a network to provide high availability in case of the failure of any link. STP responds to the failure of a link by enabling the appropriate standby link. When the failed link is restored, STP again puts the redundant link in standby mode.
Figure 3-7 Loop-Free Topology with Spanning Tree Protocol
No Spanning Tree
Laptop A
Laptop A
Laptop B Packet from laptop A to laptop B can loop between the switches due to parallel paths
Laptop B
213068
Spanning Tree blocks a port to eliminate the loop. Packet gets delivered.
STP running on a switch sends special frames to the other switches at regular intervals, called Bridge Protocol Data Units (BPDU). BPDUs allow the switch to discover the topology of the network, to identify the forwarding links and standby links, and to disable links as necessary to prevent a loop. If the LAN is changed by adding more devices or modifying Ethernet connections, STP calculates new loop-free paths automatically. Per VLAN Spanning Tree (PVST) ensures a loop-free LAN topology separately for each VLAN.
3-10
Chapter 3
IP Version 4 and IP Version 6, page 3-11 IP Packet, page 3-11 IP Address Classes, page 3-13 Private IP Addresses, page 3-14 Network Masks, page 3-15 IP Subnetting, page 3-15 TCP/IP Transport Layer, page 3-16
The 32 bits of an IPv4 address provide up to 4.3 billion unique IP addresses. This number was deemed to be adequate when TCP/IP protocol suite was initially devised. However, with the explosive growth of IP devices, it is now estimated that IP addresses will be exhausted eventually. As a result, IP version 6 (IPv6) has been defined, which uses 128-bit addresses. However, IPv6 has not yet been deployed widely. This document therefore focuses on IPv4 because it is used in the vast majority of networks. The term IP, as used in this document, refers to IPv4.
IP Packet
Sending information over a computer network is analogous to sending a message by a letter through the postal network. Just as a letter is placed in an envelope on which the destination address and the source address are written, the data to be transmitted (payload) is placed in an IP packet that also carries the IP address of the destination and source devices. A post office examines the destination address of a letter and forwards it to another post office if it cannot be delivered locally. Similarly, a router examines the destination IP address in the IP packet and forwards the packet to another router unless the message is for a network that is connected directly to the router. Just as the post office uses the zip code, which is a part of the address, to identify where to forward the letter, the router examines the first part of the IP address, called the network ID, to identify the router The IP address, along with other information that helps in the transmission of the packet, is contained in the IP header. The IP header also provides information that allows the receiving device to make sure that the packet was not corrupted in transit (see Figure 3-8).
3-11
Figure 3-8
IP Header Structure Contains IP precedence or IP DSCP field to identify traffic such as voice, video and so forth
Type of service
Identifies the type of payload (TCP, UDP and so forth) to help further processing the payload IP address of the packet source
213069
Figure 3-8 shows the format of an IP packet, including the structure of the IP header and the functions the most important fields. Although each header field is important to a networking device, only the highlighted fields are important for understanding IP networks:
UnicastA single source sends information to a single destination. BroadcastA single source sends information to every device in the network. MulticastA single source sends information to a predefined group of destinations. Destinations can be added or removed from the group.
Most communications in IP networks are unicast, although some applications support multicast communication, such as a single video stream simultaneously watched by numerous viewers. Networks use broadcast and multicast communication internally among network devices for certain signaling and control functions. Just as a switch forwards traffic in a Layer 2 network, a router forwards traffic using Layer 3 protocols. The router uses IP addresses to forward traffic in a network. For routing traffic in the network, a router implements the lower three layers of the TCP/IP protocol suite: the physical, data link, and IP layers.
3-12
Chapter 3
The IP layer identifies each network by a network ID, which is the first part of the IP address. The router looks only at the network part of the address to determine whether the packet can be delivered locally or whether it has to be forwarded to another router. The router identifies the next hop router by looking at its routing table. The way the routing table is structured and populated depends on the routing protocol used, as described in the Routing and Routing Protocols section on page 4-1.
IP Address Classes
The binary number system uses 2 as the base, in the same way that the decimal system uses 10. Whether using base 10, or base 2, we calculate the value of a number by summing each digit multiplied by the place value of the base number. As an example using base 10, the number 234 can be represented as:
234 = 2x102 + 3x101+ 4 x 100
Similarly, the four-digit binary number 1011 can be represented as the following;
1 x23 + 0 x 22 + 1 x 21 + 1 x 20 = 8 + 0 + 2 + 1.
This binary number, therefore, has a value of 8+0+2+1 = 11. The 32 binary digits in an IPv4 address are divided into four bytes to make it easier to read. The IP dotted-decimal format expresses each of the four bytes as a decimal number and separates each decimal number by a period. The range of values in a byte can be 00000000 to 11111111 in binary or 0 to 255 in decimal. Figure 3-9 illustrates an example of an IP address in dotted-decimal format and its binary equivalent.
Figure 3-9 IP Address in Binary and Dotted-Decimal Format
7. 00000111 Byte 2
2. 00000010 Byte 3
23 Byte 4
213070
00010111
There are five classes of networks, A to E, but only class A, B, and C are commonly assigned to network devices (see Table 3-1).
Table 3-2 IP Network Address Classes
Address Range 1.1.1.1 to 1.255.255.254 ... 126.1.1.1 to126.255.255.254 128.1.1.1 to 128.255.255.254 ... 191.1.1.1 to 191.255.255.254
Class B
16
128.1.0.0 to 191.255.0.0
3-13
Table 3-2
Class D
N/A
N/A
Class A and B networks can have a huge number of IP addresses. Class C networks can have only 254 IP addresses for assigning to devices (0 and 255 are generally not assigned to devices). Class D addresses represent multicast destinations. Because a multicast stream is received by many devices, the multicast address is not specific to a single device. Instead, any device that wishes to receive a multicast stream addressed to a specific class D IP address submits a request to receive the stream using the Internet Group Multicast Protocol (IGMP).
Private IP Addresses
As mentioned earlier, some addresses have been set aside for use within the private networks of different organizations. These addresses cannot be used on devices connected directly to the public Internet, but the same addresses can be used by different organizations as long as they are confined to the private network and are not seen on the public Internet. Table 3-3 shows the IP address ranges that have been specified as reusable in the Internet standard, RFC 1918.
Table 3-3 Private IP Address Ranges
Private IP Address Range From 10.0.0.0 172.16.0.0 192.168.0.0 To 10.255.255.255 172.31.255.255 192.168.255.255 Subnet Mask 255.255.255.0 255.255.0.0 255.255.255.0
These reserved addresses are called private IP addresses, or RFC 1918 addresses. They are also called non-routable addresses, because they cannot be routed over the public Internet. IP addresses that are not private are called public IP addresses, or routable addresses. The internal network belonging to a business can use the entire range of private IP addresses, and this helps relieve the scarcity of IPv4 addresses. Devices within the private network can communicate using private IP addresses without any problem, because within the network each device has a unique IP address. Different organizations may also use the same range of private IP addresses, but these private addresses cannot be used for communication between two organizations over the public Internet. The TCP/IP protocol specification allows only communication over the public Internet using public IP addresses.
3-14
Chapter 3
The solution to this problem is provided by a widely used address translation scheme that allows communication over the Internet between two organizations that use private IP addresses (see the Network Address Translation section on page 5-13.)
Network Masks
A network mask specifies the portion of an IP address the identifies the network and the portion that identifies the host. Class A, B, and C networks have default masks, also known as natural masks, as follows:
To see how the mask helps identify the network and node parts of the address, convert the address and mask to binary numbers, as in the following example:
8.20.15.1 = 00001000.00010100.00001111.00000001 255.0.0.0 = 11111111.00000000.00000000.00000000
Any bits that have corresponding mask bits set to 1 represent the network ID. Any address bits that have corresponding mask bits set to 0 represent the node ID. In this example, the network ID is 8.0.0.0 and the host ID is 20.15.1, because the network mask indicates that only the first eight bits should be used to identify the network and the rest identify the host.
IP Subnetting
Subnetting divides a class A, B, or C network into multiple subnetworks or subnets. If an organization has one class C network for the entire organization, it is difficult to implement the network without subnetting. Each router interface requires its own network (or subnet) because each segment in a network must have a unique network ID. Each device on the same segment appears at the network layer as a host attached to the same network. Having a single network allows only a single network segment, which is too restrictive. Subnetting divides a Class A, B, or C network into smaller networks. Subnetting provides a number of subnets, each of which can be assigned to one network segment. To subnet a network, extend the natural mask for the class using some of the bits from the host ID portion of the address to create a subnetwork ID. Figure 3-10 shows a Class C network of 162.18.5.0, with a natural mask of 255.255.255.0, that is subnetted by extending the subnet mask by three bits.
3-15
Figure 3-10
Subnet bits
By extending the mask to 255.255.255.224, three bits are taken from the original host portion of the address and used to create subnets. With these three bits, it is possible to create eight subnets (000 to 111). With the remaining five host ID bits, each subnet can have up to 32 host addresses. However, only 30 of these addresses can actually be assigned to devices because host IDs with all zeroes or all ones are not allowed. It is very important to remember this. Keeping this in mind, the following subnets can be created using the subnet mask 255.255.255.224:
Table 3-4 Subnets and host addresses with subnet mask 255.255.255.224
Network Address 162.18.5.0 162.18.5.32 162.18.5.64 162.18.5.96 162.18.5.128 162.18.5.160 162.18.5.192 162.18.5.224
Host Address Range 162.18.5.1 to 30 162.18.5.33 to 62 162.18.5.65 to 94 162.18.5.97 to 126 162.18.5.129 to 158 162.18.5.161 to 190 162.18.5.193 to 222 162.18.5.225 to 254
Subnetting occurs frequently in public networks. A small business typically uses private IP addresses on its private LAN. Subnetting is not required in a private network because each network segment can be assigned a different private Class C network address. However, subnetting might be useful if the business is assigned a public Class C address and it has more than one network segment that is accessed from the public Internet. The alternative, in this case, is to use private network addresses with Network Address Translation (NAT) for the network segments accessed from the public Internet. This is described in the Network Address Translation section on page 5-13. Public network addresses assigned by an ISP are typically already subnetted based on the number of host addresses required.
3-16
Chapter 3
An application running on one computer can establish one or more TCP connections with one or more applications running on another computer. For example, laptop A can establish one TCP connection for file transfer with computer B, and another TCP connection for viewing a web page that is also hosted on computer B. Each TCP connection is considered separate, so failure of one TCP connection has no impact on the other, unless they are both used by the same application and are dependent on each other. When data is sent over a TCP connection, the destination sends acknowledgement of the packets to the source. This helps the TCP protocol detect packet loss and resend lost packets, which is why TCP can ensure reliable data transfer for applications that do not have their own error recovery mechanisms. TCP can also adjust the sending rate depending on network congestion. TCP is used by applications such as Internet browsers, e-mail, and file transfer that can tolerate retransmission of data packets and that depend on the TCP error recovery mechanism. TCP is not used by applications sensitive to packet delay, or out-of-sequence packets. UDP is a connectionless transport protocol, and does not require the overhead of setting up or tearing down a connection, so it provides more efficient data transfer compared to TCP. However, UDP has no acknowledgement mechanism, cannot resend lost packets, and has no method for controlling the rate of transmission. UDP is a best effort transport protocol and does not ensure reliable data transfer. It is commonly used by applications that provide their own error recovery mechanisms, or that cannot tolerate retransmission of packets, such as IP telephony or streaming video. An application running on a computer may use TCP or UDP to send data to another application running either on the same computer or to an application running on another computer. To identify each such application, the computer assigns a TCP or UDP port number to each application. The TCP/IP protocol suite predefines a set of standard ports for commonly used applications, such as TCP port 25 for e-mail and TCP port 80 for web services. The TCP/IP protocol suite does not define protocols for the OSI session, presentation, and application layers. In the TCP/IP model, applications running on a computer perform the function of these three layers. The TCP and UDP port numbers provided by the transport layer allow the IP packet to be directed to the correct application running at a specific destination IP address, and the application then completes the processing that is defined at the upper layers of the OSI model.
3-17
3-18
CH A P T E R
Routing and Routing Protocols, page 4-1 Dynamic Host Control Protocol, page 4-4 Domain Name System, page 4-5 Dynamic DNS, page 4-6 Address Resolution Protocol, page 4-3
Cost 10
0 0.1 1. 1.2
60.10.1.2
Co
10.11.31.1
Co
0 t1
R2
68
.10
.1 50
10
01
.1.
.1.
R5
2
Co st 20
192.168.3.10 Laptop B
10.11.31.10 Laptop A
R1
st
1.3
10
2.3
.2 64 .1. 2
0.1
.3
R4
10
.25
64
.20
R3
4-1
213072
Figure 4-1 illustrates a network with five routers that are connected to Ethernet or other types of network segments. Because an IP address belongs to Layer 3, a router is said to perform Layer 3 forwarding. By contrast, a switch forwards traffic based on the MAC address and so performs Layer 2 forwarding. There is also something called Layer 3 switching, which is described in the Layer 3 Switching section on page 5-5. Routers can have multiple interfaces of different types for connecting to LANs or to WANs. Each interface is connected to a different network and has a unique network ID. The router forwards packets between networks through its interfaces. Each path in a network has an associated cost for routing. This cost can be assigned in one of the following ways:
Calculated automatically based on the bandwidth of each network link Calculated automatically based on thenumber of network links (hops) to reach the destination, Configured explicitly
A router forwards packets to the destination using what appears to the router as the lowest cost path, which is determined by the routing protocol used.
Static Routing
A router can be manually configured to forward traffic destined to a specific network or subnetwork by forwarding it to the IP address of a specific router (known as next hop IP address), or through a local interface. A manually configured fixed route rule is called a static route, which is permanent unless it is manually changed. The default route is a special static route that specifies the next hop IP address to which traffic should be forwarded when the route to the destination network is unknown.
Dynamic Routing
Routers using a dynamic routing protocol automatically exchange messages and learn the best way to forward packets from a source to a destination based on the path cost. Some widely used dynamic routing protocols include the following:
Routing Information Protocol (RIP) Interior Gateway Routing Protocol (IGRP) Extended Interior Gateway Routing Protocol (EIGRP) Open Shortest Path First (OSPF) Intermediate System to Intermediate System (IS-IS) Border Gateway Protocol (BGP)
Dynamic routing can be selectively enabled on a router to work on specific IP subnetworks and not for the others. With dynamic routing protocols running on every router, if a router or a link joining two routers fails, the routers exchange information about the failure and identify an alternate network path from a source to a destination, if available.
4-2
Chapter 4
Depending on the network size and complexity, the number of routers, and the routing protocols used, network convergence may take a fraction of a second to a few seconds. Fast convergence helps to make the network more resilient in the event of component failure. If a business has two or more routers in the same location, dynamic routing is strongly recommended. Protocols, such as EIGRP and OSPF, are more efficient than RIP v2 when the network has many routers. To configure dynamic routing on a router, at a minimum you need to specify the following:
The dynamic routing protocol name (RIP v2, EIGRP, OSPF, or whatever protocol is used) List of network subnets that the routing protocol should advertise to other routers
If a network has a single router, as occurs in many small business networks, dynamic routing provides no benefit, and static routing is sufficient. Table 4-1 shows the contents of a sample routing table.
Table 4-1 Sample Routing Table
Route Type Directly connected to router interface Directly connected to router interface Directly connected to router interface Directly connected to router interface Static route
Next Hop IP address or Directly Connected Interface Gigabit Ethernet 0/1.1 Gigabit Ethernet 0/1.2 Gigabit Ethernet 1/0 Fast Ethernet 0/3/0 209.165.201.226
In the example shown in Table 4-1, the IP subnet 10.11.4.0/24 is connected to the router interface Gigabit Interface 0/1.1. The router forwards all traffic to this subnet through the same sub-interface. The default route is 0.0.0.0/0. In this case, the default route points to 209.165.201.226, so all traffic with an unknown destination IP address is forwarded to this address. Traffic to this subnet is sent through the interface Fast Ethernet 0/3/0, as shown in the fourth line of the table.
4-3
The mapping between IP addresses and MAC addresses is stored in an ARP table by each router having a network interface in the collision domain. To keep the table current, newer associations between an IP address and a MAC address overwrite older ones, and the associations expire after a few hours, by default. ARP is used by all network devices using Ethernet interfaces, including routers, switches, PCs, laptops, and servers. Sometimes a network device may want to announce its MAC address to the Layer 2 network to which it is connected by broadcasting an ARP request packet that contains its IP address and MAC address. This is called gratuitous ARP and it helps other devices in the network to learn its MAC address. It is often used when a device boots up, or when its Ethernet card (and its MAC address) is changed. Sometimes, a device uses a gratuitous ARP to find out whether any other device in the network has been configured with the same IP address. If so, the gratuitous ARP sender receives an ARP response from the device with the duplicate address. Proxy ARP is another usage of ARP in which one host, usually a router, answers ARP requests intended for another machine. In this case, the router acts as a proxy for the destination, and accepts the responsibility for forwarding packets to it. Although Proxy ARP can help a host reach remote subnets, the same can be achieved by routing or default gateway configuration, which is typically the preferred way.
4-4
Chapter 4
Default gateway IP address One or more DNS server IP addresses TFTP server IP address
Any public or private network that communicates over the public Internet should be part of one of these domains. Figure 4-2 shows a few commercial organizations under the .com domain.
Figure 4-2 Sub-domains of the .com Domain
.com domain
example.com
google.com
example2.com
When a small business wants to create a domain name, it selects a unique domain name and registers it with the Internet Network Information Center (InterNIC) through a domain name registrar. Domain name registrars are commercial organizations, including many ISPs, that register domain names for a fee. After registering the domain name, the business assigns Fully Qualified Domain Names (FQDN) to each of the devices that will be accessed through its name, rather than through its IP address. Typically, these devices include web servers, e-mail servers, and computers running business-specific applications, and in some cases, network devices.
Table 4-2 Examples of Fully Qualified Domain Names
Fully Qualified Domain Name (FQDN) of Network Device or Computer www.example.com smtp.example.com
213071
4-5
The domain information, the FQDNs, and the associated IP addresses are maintained by computers called name servers or DNS servers. After the information for the small business is entered into the DNS server, users can access these devices by name (www.example.com) rather than having to remember an IP address. Typically, the ISP that provides the Internet connection to a small business also provides the required DNS servers and provides the IP address for these servers. All user laptops, PCs, and servers must be configured to use these DNS server addresses. It is also possible for a small business to install and maintain its own DNS server.
Note
Instead of configuring every device manually with the DNS server addresses, the DHCP server can be configured to provide the addresses as a DHCP option in the DHCP reply sent to the laptop, PC, or other network device when it obtains its IP address. When a user directs a web browser to www.example.com, a DNS query containing the FQDN is sent to the IP address of the DNS server that is configured on the users computer. The DNS server responds with the IP address (for example, 206.165.200.227) associated with the FQDN.After receiving the DNS response, the browser application sends the HTTP query to the web server using the IP address 206.165.200.227. If the DNS server does not find an IP address for the FQDN, it forwards the DNS query to other DNS servers on a list that it maintains. A DNS server also stores the IP address of the e-mail server for the domain. When an e-mail is sent to user@example.com, the e-mail server queries the DNS server to identify the IP address of the e-mail server for the domain example.com. When it gets the response, it forwards the e-mail to the IP address given in the response. Typically, small businesses use the DNS servers provided by their ISP. However, a small business may install and maintain a local DNS server if it uses different IP addresses for servers that are accessed from the public Internet than for internal servers that are accessed by employees. In this case, employees use the local DNS server to map host names to server private addresses, while external users use a DNS server on the public Internet to map host names to the public addresses.
Dynamic DNS
With the traditional DNS protocol, the IP address associated with an FQDN is manually configured on the DNS server, and any changes must also be entered manually. A DNS server is not able to resolve an FQDN if the device IP address changes frequently, which occurs when the device gets its IP address using DHCP. The IP address of the device may change when its IP address lease expires and a new IP address is leased, but the DNS server is unaware of the new IP address unless it has been manually reconfigured. The dynamic DNS (DDNS) service provided by some ISPs alleviates this problem by causing the device to automatically notify the ISP whenever its IP address changes. The dynamic DNS server gets updated with the new IP address, and so DNS continues to work. Dynamic DNS is suitable for residential broadband type deployment, and small businesses. For example, DDNS is required when users need to access a video surveillance camera from the public Internet (http://mycamera.example.com) and the device gets its IP address using DHCP. In this case, as soon as the router provides a new IP address to the camera, it also updates the DDNS server with the new IP address. This helps ensure that the FQDN-to-IP address mapping remains accurate.
4-6
CH A P T E R
Small Business Network Topology, page 5-1 Ethernet Switches, page 5-4 WAN Routers, page 5-9 Network Management, page 5-17
5-1
Figure 5-1
802.1Q Trunk interface carries 802.1Q Trunk DATA & interface carries Voice VLANs DATA & Voice VLANs
Aggregation Aggregation A Switch Aggregat t Switch Access Access 10/100/1000 Mbps Access Switch e Access AcceSwitch ess ess Access Ethernet Links Swit 10/100/1000 10/100/1000 Mbps 10 t tch Switch Swit tch t Switch
Ethernet Links ne ne Ethernet
Data Voice Data VLAN VLAN VLAN V i D t Voice Data Data VLAN VLAN VLAN IP
IP
Voice and Data Data A Data VLAN VLAN VLA VLANs d and Voice VLAN Shared devices and Sha servers not accessible ared a servers rv s Shared devices and servers from Internet not accessible from Internet Inte Inter
213073
In Figure 5-1, the LAN interface, Gigabit Interface 0/1, is logically divided into three sub-interfaces. Each subinterface has its own IP address and is placed in a separate VLAN. The access ports are the ports on the access switch connected to end-user devices. Often, an IP phone may have an integrated switch. In such cases, the PC or laptop can be connected to the IP phone rather than to the access switch, which eliminates additional cabling. In this case, the link between the access switch and the IP phone carries both the DATA and the Voice VLANs.
The access layer includes the access switches The aggregation layer, also known as the distribution layer, includes the aggregation (distribution) switch.
This two-layer architecture improves LAN scalability and supports deploying the optimal switches as access and aggregation switches. In larger networks, a third layer (the core layer) may be required for additional traffic aggregation using a high capacity switch. This three-layer architecture is not usually required in small business networks.
5-2
Chapter 5
In the two-layer LAN described here, the LAN is connected to all the end-user devices, the servers, and the shared devices. The LAN switch uses high-speed interfaces (100/1000 Mbps) to provide users with high-speed access to shared devices, such as printers, business servers, network storage devices, and servers accessed from the public Internet. The network shown in Figure 5-1 segregates different types of traffic into separate VLANs. This improves LAN scalability and improves network security. Different network security policies can be applied to each VLAN. For example, a laptop can browse the Internet, but an IP phone may not need Internet access. Figure 5-1 shows the following VLANs, which can be used in a small business network to separate traffic of different types:
DATA VLANAll laptops and PCs are placed in this VLAN. In addition, shared devices, such as printers, NAS devices, and business servers, can also be included. Voice VLANConnects all IP telephony devices. This VLAN can be omitted if IP telephony is not deployed. DMZ VLANConnects all servers that can be accessed from the public Internet. These servers need specific security policies, and therefore the traffic to and from these servers should be kept in a separate VLAN. See the Firewall Policy Enforcement section on page B-2 for more details. The DMZ VLAN can be omitted if these servers are not deployed.
The LAN is also connected to the WAN router, as shown in Figure 5-1.
A router, for Layer 3 forwarding of traffic among all the VLANs, to the public Internet, and possibly to other sites over a VPN connection, if the small business has other business locations. The WAN connection, which can be a broadband connection to the public Internet, or a leased line connection to another site or to the public Internet. The connection to another site or to the Internet connection is terminated on the WAN router. A PSTN connection, for telephone calls to telephones that are outside the IP telephony network. The PSTN connection is typically terminated on the WAN router so that it can help connect IP phones with the PSTN. Ethernet Serial Frame Relay ISDN Channelized T1/E1 Broadband connection, such as DSL
A WAN router can have multiple interfaces of different types, including the following:
These interfaces are used for connecting to a LAN or to a WAN. Each router interface requires the configuration of a different IP subnet, and the router is responsible for forwarding IP packets from one subnet to another over these interfaces. A typical router has one or more LAN interfaces that can be Fast Ethernet (100 Mbps) or Gigabit Ethernet (1 Gbps). Each of these interfaces must be assigned an IP address before they can be used for forwarding IP traffic.
5-3
A single Ethernet interface on a router can be configured to function as several subinterfaces, each of which is associated with a VLAN and an IP address. Table 5-1 shows the interface Gigabit Interface 0/1 divided into three subinterfaces.
Table 5-1 VLAN Termination on WAN Router
Sub-Interface Gigabit Ethernet 0/1.1 Gigabit Ethernet 0/1.2 Gigabit Ethernet 0/1.3
The link connecting the Gigabit Ethernet 0/1 interface with the aggregation switch carries the traffic of three VLANs, so both endpoints on this link should be configured for 802.1q trunking.
Ethernet Switches
After describing the overall structure of a small business network, this section now focuses on the Ethernet switch, which is one most important individual network components. This section describes how an Ethernet switch works, and the switch characteristics relevant to a small business network. It includes the following topics:
Ethernet Interface Types and Operating Modes, page 5-4 IP Multicast and IGMP Snooping, page 5-5 Managed and Unmanaged Switches, page 5-5
Higher throughput due to simultaneous bidirectional traffic flow. Better link efficiency because of lack of collisions. Cable lengths can be longer than with half-duplex.
5-4
Chapter 5
Half-duplex cables are limited to a maximum cable length because a collision indication sent by the farthest connected station must be received before a network device finishes sending a complete packet. Autonegotiation automatically ensures that the pair of ports connecting two devices with an Ethernet cable have the same speed and duplex setting. When autonegotiation is turned on for both ports, the ports talk to each other and adjust their speeds and duplex settings accordingly. This feature is recommended for all switches in a small business network.
Layer 3 Switching
Most switches forward traffic based on MAC address, while routers forward traffic based on the IP address of a packet. However, a Layer 3 switch has additional hardware capability, allowing it to forward traffic based on the IP address as well. A Layer 3 switch acts like a router when forwarding traffic using the IP address. Due to hardware-based packet routing in a Layer 3 switch, high capacity layer-3 forwarding can be achieved. However, a Layer 3 switch with all the required capability of a general purpose router may be more expensive than a similar router because it is harder to implement these features in specialized hardware than through software.
5-5
Due to the possibility of high-traffic volume in a LAN, a Layer 3 switch offers a cost-effective solution for limited Layer 3 switching in the LAN. To improve LAN performance, it is sometimes necessary to split the users into multiple VLANs. This results in inter-VLAN routing, or layer-3 forwarding of traffic from one VLAN to another. It is perfectly feasible to use a router for inter-VLAN routing, but with the limited routing capability required in a LAN, a Layer 3 switch may cost less to achieve the same level of performance. In general, Layer 3 switches are cost-effective within a LAN where high traffic volume is expected, but where advanced router capability, such as setting up VPNs, firewalling, or dynamic routing are not required.
Limiting maximum traffic rate received or transmitted through an interface Providing a minimum bandwidth to a traffic class during congestion Providing forwarding priority to one traffic class over all others, so that any packet of that class is forwarded before traffic of other classes. This is typically required for IP telephony voice traffic.
5-6
Chapter 5
Switch Stack
Two or more switches can be stacked together to form a logical switch. This improves availability of the combined switches because traffic can reach the destination network device through the multiple switches in the stack.
Higher link bandwidthThe bandwidth of the aggregated link is the sum of the bandwidth of each constituent link. For example, aggregating three Fast Ethernet links provides a 300 Mbps link. Without link aggregation, parallel Ethernet connections of the same three links would theoretically provide 100 Mbps bandwidth, but two of the three parallel links could be blocked by Spanning Tree Protocol (STP) to avoid a loop. RedundancyLink aggregation improves the reliability of the aggregated link. If a single physical link fails, traffic can still be sent through the surviving links in the bundle. Supported only by full-duplex links. This is not a serious issue, because full-duplex operation is recommended anyway. All links being aggregated must have the same bandwidth. For example, you cannot bundle a 100 Mbps link with a 1 Gbps link).
Link aggregation is recommended if a higher bandwidth link or a more reliable link in a critical part of the network is required.
Switch Security
This section describes several recommended Ethernet switch security features, which are described in the following topics:
Port Security, page 5-8 BPDU Guard, page 5-8 Storm Control, page 5-8 Port-Based Network Access Control (802.1x), page 5-9
5-7
Switches provide additional security features, which are not described here, including the following:
For details, see the following websites: http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_50_se/configuratio n/guide/swdhcp82.html http://www.cisco.com/en/US/docs/switches/lan/catalyst2960/software/release/12.2_50_se/configuratio n/guide/swdynarp.html
Port Security
A switch learns the MAC addresses of connected devices when it receives packets from them and maintains information about each connected device in its MAC address table. This is a potential security risk, because a hacker can simply send lots of packets with different MAC addresses to a switch and this can overflow the MAC address table in the switch. The port security feature improves security by limiting access on a specific port to a configurable number of hosts. For example, if a laptop and IP phone are both connected to a port on the access switch, port security may be configured to learn no more than two MAC addresses through the port, one MAC address for the laptop, and the other for the IP phone. If a hacker tries to send packets with additional MAC addresses, the port can be configured to be automatically disabled. It is recommended to deploy port security on access ports connected to end-user devices on any switch that supports the feature. Port security should not be enabled on switch ports connected to other switches or routers.
BPDU Guard
BPDU Guard can be used to prevent network connection mistakes or attacks that modify the spanning tree to cause spanning tree loops and degrade LAN performance. Switches exchange BPDUs as part of the process of building and maintaining the spanning tree. A switch expects to receive BPDUs on ports that are connected to other switches. Other ports of the switch should not receive any BPDUs. An attacker can send BPDUs from a laptop or other device to modify the spanning tree. An unauthorized switch connected by a user to get some additional ports may also send BPDUs. Such BPDUs can be prevented by configuring the BPDU Guard feature on any switch ports that are not supposed to be connected to other switches. If a BPDU guard-enabled port receives a BPDU, the port is automatically disabled. The administrator can re-enable the port after investigating the anomaly. It is recommended to enable BPDU Guard, if available on a switch, on all access ports not connected to another switch.
Storm Control
Storm Control allows a switch to set an upper limit on the percentage of port bandwidth that broadcast, multicast, and unicast traffic can use. This feature can be used to prevent broadcast or multicast storms in a LAN, which can degrade LAN performance. Storm Control can be selectively enabled on one or more ports on a switch.
5-8
Chapter 5
Although not essential, Storm Control can help suppress broadcast and multicast storms caused by a denial-of-service (DoS) attack, or by a network device malfunction.
WAN Routers
A WAN router is a complex device that performs a wide variety of functions apart from Layer 3 forwarding of packets. It supports a variety of interface types and add-on modules to provide additional services such as voice call processing. This section describes the WAN router functionality and includes the following topics:
WAN Router with Integrated Switch, page 5-9 WAN Interface and Connection Types, page 5-10 Router DHCP Server, page 5-10 Router Authentication Server, page 5-10 WAN Router Security, page 5-11 WAN Router Quality of Service, page 5-12 WAN Router High Availability, page 5-12 Hot Standby Router Protocol, page 5-13 Network Address Translation, page 5-13
5-9
5-10
Chapter 5
Intrusion Prevention System, page 5-11 Guest Access, page 5-11 Spam Blocking, page 5-11 URL Filtering, page 5-11 Content Filtering, page 5-12
For more details about the security features on a router, see Appendix B, Network Security and Appendix C, Virtual Private Network (VPN) for Secure Connectivity.
Guest Access
This feature is typical with wireless access and limits traffic of visitors accessing the network to a specific VLAN. Thus, for example, visitors can have access to the Internet only, and not to local servers. It is typically deployed through configuration on the wireless LAN controller and the WAN router.
Spam Blocking
Spam blocking is a feature that is not implemented in the WAN router, but which supplements the WAN router security features. Spam blocking drops or quarantines spam e-mails, or adds a cautionary text in their subject lines. This mitigates the wastage of employee time due to unwanted e-mail. Specialized spam-blocking appliances are available for small businesses for this purpose. Alternatively, a third-party service provider can process all the e-mails for a small business to eliminate unwanted spam, and then forward valid e-mail to the small business. If this functionality is required, the router may need to be configured to support spam blocking.
URL Filtering
URL filtering is a feature that can be implemented in the WAN router or can be offloaded to external servers or provided by a third-party service. URL filtering allows a network administrator to create a list of URLs that should not be accessed by employees. The configuration is typically based on known malicious URLs that pose potential threats, or the business policy of the small business that prohibits access to certain kinds of websites from the business network.
5-11
Content Filtering
Content filtering is a feature that can be implemented in the WAN router or can be provided by a third-party service. Content filtering protects employees from web-based malware, adware, spyware, and phishing. Instead of specifying the exact URLs to block as in case of URL filtering, content filtering allows the administrator to specify a security rating, which is typically assigned to web pages by a third-party service provider. Any web pages that do not match the required security rating are blocked. In addition, the administrator can specify certain categories of web pages to block, such as violence, games, and adult content. Content filtering is typically a subscription-based service.
Link Aggregation
Link aggregation allows multiple physical links between two network devices to be bundled so that the bundled links behave like a single link. If one of the physical link fails, the remaining links still remain operational.
5-12
Chapter 5
Why NAT?, page 5-13 How NAT Works, page 5-14 Port Address Translation, page 5-16 Static NAT, page 5-16 NAT Inside the Payload, page 5-16
Why NAT?
NAT was developed to allow networks using private IP addresses to communicate over the Internet. As explained earlier in the Private IP Addresses section on page 3-14, you cannot send traffic using private IP address to the public Internet, because same the private IP address may be used by many networks that are all connected to the Internet, and each IP address must be unique. For example, consider three small businesses company1, company2, and company3, which are connected to the Internet as shown in Figure 5-2. Each laptop or PC at each of these businesses gets a private IP address from the same range (10.11.31.10 to 10.11.31.110). The WAN interface of each business has a public IP address as shown. Employees of each company can communicate using their PCs or laptops within each private network, because each computer has a unique private IP address. However, if a laptop with the IP address 10.11.31.40 at one company tries to send a message to 10.11.31.90 at another company, the packet cannot be sent. Instead, the data packet is sent to the local network. If the destination address were a private address with a different network ID, it might be sent to a public Internet router, but it would be dropped because a public Internet router does not accept or forward packets to a private IP address.
5-13
Figure 5-2
Internet (does not know how to reach private IP addresses such as 10.11.31.10)
Small business 1
10.11.31.10 10.11.31.110
10.11.31.10 10.11.31.110
213074
Small business 2
Small business 3
5-14
Chapter 5
Figure 5-3
Internet
Destination IP Addr: 209.165.201.10 Destination port: 80 Source IP Addr: 209.165.200.227 Source port: 2200
Destination IP Addr: 209.165.200.227 Destination port: 2200 Source IP Addr: 209.165.201.10 Source port: 80
209.165.202.130: 53 209.165.201.10: 80
Figure 5-3 shows an example of network translation when PCs or laptops from the private subnet 10.11.31.0/24 send traffic to the public Internet and the WAN router translates these IP addresses to the public IP address 209.165.200.227. The second line in the router NAT table shows the address translation when a laptop with IP address 10.11.31.10 opens a web page on a public Internet server with the IP address 209.165.201.10. In this case, the session established by the laptop is identified by TCP port 1901 at the source laptop and by TCP port 80, which is the well-known HTTP port, at the destination. As shown, the NAT router assigns an unused port 2200 to identify the source laptop, and creates the entry shown in the NAT table. It then substitutes the WAN IP address 209.165.200.227 and the port TCP port 2200 in the original IP packet and forwards it to the web server. When the response from the web server arrives, the IP packet has destination IP address 209.165.200.227, and TCP port 2200. The WAN router consults its NAT table, changes the destination address and port, and forwards the packet to 10.11.31.10 with TCP port 1901.
5-15
Static NAT
Static NAT, also known as 1-to-1 NAT, translates a single private address to a single public IP address. Public servers, such as a web server or an e-mail server, that are assigned a private address on an internal network but are accessed from the public Internet, require a fixed, public IP address. In this case, the private IP address is translated to a unique, publicly routable IP address. For example, if you add an e-mail server with the IP address 10.11.31.22 and want it to be accessed from the Internet using the IP address 209.165.200.229, the router can be configured with a single static NAT entry that translates 10.11.31.22 to 209.165.200.229.
Note
It is also possible to translate an IP address from a range of private IP addresses to an IP address selected dynamically from a pool of public IP addresses. This is suitable when the number of devices is larger than the number of publicly routable addresses, but is not common for small businesses.
IP telephony applications using Session Initiation Protocol (SIP) Audio or video applications using the H.323 protocol DNS
When performing NAT with these kinds of applications, the router must read and change the user data payload to translate the IP address. When selecting a router to perform NAT, you should understand the requirements of the applications deployed in your network, and routers from different vendors vary in their level of support for various types of NAT. The NAT recommendations for a small business network are as follows:
Use PAT/NAT overload for the subnets used by PCs and laptops. The following information is typically needed to configure PAT/NAT overload:
IP subnet of the PCs/laptops (and/or the range of IP addresses in this subnet) IP addresses to exclude from NAT (for example they may be assigned to network devices that do not access the Internet) Public IP address (the WAN interface IP address) to which the private IP addresses are to be translated.
5-16
Chapter 5
No NAT is needed for a server accessible by employees unless it is accessed from the public Internet. This is true even if the server is accessed using a private IP address by employees from various locations using a VPN connection. Use static NAT for servers that can be accessed from the public Internet (e-mail, HTTP, and so forth). The following information is typically needed to configure NAT for a server that is accessed from the public Internet:
Fixed private IP address assigned to server Fixed public IP address assigned to server
Network Management
Network management includes the following operations:
Network device provisioning, which consists of adding new devices, services, and users Administration, which determines the assignment of network resources Configuration Monitoring Maintenance
These activities can be performed manually or automatically using a variety of tools, which are described in the following topics:
Web-Based Management Tools, page 5-17 Command-Line Interface, page 5-17 Simple Network Management Protocol, page 5-18 WAN Router Universal Plug and Play, page 5-18
Command-Line Interface
Network management using a command-line interface (CLI) may not be available on all network devices as some devices support only web-based or other GUI management tools. Although CLIs typically require some specialized training or extensive experience, the CLI often provides more granular configuration for network devices. Also, the CLI configuration can typically be saved and transferred from one device to another, which simplifies and standardizes the configuration of similar devices.
5-17
5-18
CH A P T E R
IP Telephony Infrastructure
This chapter describes specific aspects of the network infrastructure required for implementation of IP telephony. This chapter includes the following sections:
Voice-Specific VLAN, page 6-1 Power over Ethernet, page 6-1 Quality of Service for IP Telephony, page 6-1 Unified Communication Management, page 6-3
Voice-Specific VLAN
It is recommended that voice components in the network be placed in a separate VLAN, to separate voice traffic from other traffic, and to allow voice-specific policies to be applied to the voice traffic.
6-1
IP Telephony Infrastructure
Table 6-1
Voice Bearer Traffic Max end-to-end packet delay <150 ms for best voice <250 ms for inter-regional calls may be of acceptable quality to most users. (ITU-T G.114) Assuming a codec that can conceal the effect of a single packet loss, but not the loss of two consecutive packets:
Voice Signaling Traffic Does not require as strict delay bounds as bearer traffic, but long delay would slow down call establishment. Packet loss should be recognized, and the packet is transmitted again.
1% packet loss generates an audible voice glitch every 3 minutes, on average. 0.25% packet loss generates a glitch every 53 minute,s on average. N/A
< 30 ms recommended
As can be seen, voice bearer packets are very sensitive to packet delay, loss, and jitter. Voice signaling traffic is sensitive to packet loss, but can accommodate some amount of delay and jitter. Keeping these requirements in mind, the network should be designed to provide proper QoS to these two voice-related traffic classes. The typical QoS treatment for these traffic classes in the configuration of the router are shown in Table 6-2.
Table 6-2 Typical QoS Functionality in a Router
Voice Bearer Traffic Traffic is assumed to be already marked with DSCP CS5 (or IP precedence 5)
Voice Signaling Traffic Traffic is assumed to be marked with DSCP CS3 or AF31 (or IP Precedence 3). If the router itself generates signaling traffic (Unified Communication Manager is part of the router), then the router should be able to mark the signaling traffic.
6-2
Chapter 6
Table 6-2
Voice Bearer Traffic Priority queue (voice bearer traffic is forwarded by the router before any other traffic, to minimize delay and packet loss) Voice bearer traffic is ideally restricted to use not more than 33-40% of the WAN bandwidth (to avoid voice bearer traffic to use the whole line rate, starving other traffic classes)
Voice Signaling Traffic A minimum bandwidth of about 5-10% line bandwidth is guranteed to this traffic during congestion, so that packets are not dropped. N/A
Rate-limiting
The QoS features that the router must support to support IP telephony include the following:
Priority queuing Class-based weighted fair queuing (CBWFQ) Policing features to support IP telephony
See Appendix A, Quality of Service for details. The features that the switch must support to support IP telephony include the following:
Priority queuing Weighted round robin (WRR) Shaped round robin (SRR) Queueing Policing/marking features to support IP telephony
6-3
IP Telephony Infrastructure
6-4
CH A P T E R
Overview, page 7-1 Wireless Devices, page 7-1 Separate VLANs for Wireless Traffic, page 7-2 Quality of Service, page 7-2 WLAN Security, page 7-3
Overview
A WLAN is typically used for the following purposes in a network:
To connect employee laptops wirelessly to the office network, allowing the employees to be mobile within the office For deploying wireless IP phones in the office To allow visitors to access the Internet wirelessly through the office network, but preventing or limiting access to office resources
The network features required to support a WLAN are described in the following sections.
Wireless Devices
For adding a WLAN to a wired network, the network must have two types of specialized wireless devices, which are briefly described in this section:
Wireless Access Point, page 7-1 Wireless LAN Controller, page 7-2
7-1
Because a limited number of users are supported by a single AP, a network may need more than one AP depending on the number of users and their geographical distribution. An AP is typically attached to a switch, but can be directly attached to a router as well. In a small business network, the AP may be integrated with a router to reduce the number of devices and to reduce cost.
Wireless LAN controllers are used to deploy seamless roaming across multiple IP subnets. Guest access functionality is deployed to separate guest traffic from other traffic. Guest access is typically provided in a wireless network in conjunction with a wireless LAN controller.
Quality of Service
If voice applications are deployed in the wireless network, such as wireless IP telephones, QoS in the wireless as well as the wired network becomes important. In this case, the wireless APs must implement Wireless Multimedia Extensions (WMM) to perform QoS in wireless media. WMM classifies and marks wireless traffic and provides QoS to traffic classes, including the following:
These markings may not exactly match traffic marking for corresponding traffic classes in the wired network. Therefore, the WMM traffic classifications and markings must be mapped to each other either by the AP, or by the switch to which the AP is connected.
7-2
Chapter 7
WLAN Security
Because wireless is a broadcast medium, anyone can send or receive data over the media, so security in a WLAN is especially important. Security in a WLAN requires the following components, which are important due to the inherent lack of security in the technology used for wireless signaling (physical layer):
Authentication
User authentication prevents unauthorized access to network resources. An AP or a wireless LAN controller may support several types of authentication that are used by clients to connect to the WLAN. The 802.11 specification describes methods for authenticating WLAN clients, including the following:
Open authenticationConsists of two messages, which are the authentication request and the authentication response. Shared key authenticationRequesting client and AP to be configured with a static key. MAC address authenticationAP is associated to a list of permitted MAC addresses. 802.1X-based authentication, such as EAP, PEAP, TLS, and TTLS.
The IEEE 802.1X standard provides a framework for many authentication types and the link layer. On receiving wireless traffic from a client, an 802.1x-enabled AP authenticates the client from an authentication server (for example, a RADIUS server). The client is allowed to send data only if the authentication is successful.
Data Encryption
A WLAN supports several types of encryption methods that are used by clients with authentication methods to connect to the AP. The following are some of the encryption methods commonly used in WLANs:
Wired Equivalent Privacy (WEP). Cisco WEP Extensions (Cisco Key Integrity Protocol with Cisco Message Integrity Check). Wi-Fi Protected Access (WPA) / Wi-Fi Protected Access 2 (WPA 2).
Pre-shared key can be configured. TKIP and CCMP (AES) encryption are supported. Uses RADIUS to authenticate clients for WPA or WPA2. TKIP and CCMP (AES) are supported.
WPA2 with AES encryption is recommended, because it provides better security. For a comprehensive review of 802.11 wireless LAN security and the Cisco Wireless Security Suite, see the link for the Wireless LAN Security White Paper located at the following website: http://www.cisco.com/en/US/prod/collateral/wireless/ps5678/ps430/ps4076/prod_white_paper09186a0 0800b469f_tk809_TSD_Technologies_White_Paper.html
7-3
7-4
A P P E N D I X
Quality of Service
This appendix describes quality of service (QoS) concepts and mechanisms. It includes the following sections:
Overview, page A-1 Traffic Classification, page A-2 Traffic Marking, page A-3 Traffic Policing, page A-4 Traffic Shaping, page A-4 Queuing, page A-5 QoS in a Switch, page A-6 QoS in a WAN Router, page A-6 Advanced QoS, page A-7
Overview
Quality of service (QoS) is a set of features that help manage packet loss, transmission delay, and jitter for different types of traffic such as voice, video, critical business data, and Internet browsing traffic. The following are some useful definitions:
Packet lossThe percentage of packets the network does not deliver. DelayThe time it takes a packet to reach its destination after being transmitted from the sending endpoint. In the case of voice traffic, a useful measure is the mouth-to-ear delay, which is the total time it takes for sound to pass from speaker to listener. Delay variation (jitter)The difference in the end-to-end delays between packets. For example, if one packet required 100 milliseconds (ms) to traverse the network from the source to the destination and the following packet required 125 ms to make the same trip, then the jitter would be calculated as 25 ms.
Voice and video-based applications require packet loss, delay, and jitter to be kept within certain limits. QoS is essential in networks deploying voice or video applications to ensure that these limits are respected. QoS can also provide better bandwidth guarantees to business-critical data, so that transmission of financial information gets a higher priority than casual Internet browsing. If a network provides only Internet access for browsing and Internet based e-mail, then the network does not need QoS. However, even in this case, it is better to deploy QoS-capable network devices for investment protection, because QoS is likely to be required as the network grows.
A-1
Quality of Service
The following sections describe the basic techniques used by network devices to provide QoS to various traffic types.
Traffic Classification
Because QoS treats different types of traffic differently, the first step is to classify traffic into various traffic classes such as voice traffic, signaling traffic, critical business application traffic, and all other traffic. Any number of traffic classes can be used, depending on how granular you want your QoS policies to be. A network device can classify traffic according to any of the following methods:
Port on which the traffic is received. For example, all traffic from a switch port connected to a video camera would belong to the video traffic class. Value of one or more fields in a packet. For example, the source and destination IP address or field values set by the application generating the traffic. Upper layer (Layer 4 to 7) information contained in the packet. For example, the TCP/UDP port used for the session is often used to identify an application. Some common application protocols and ports are summarized in Table A-1. IP Precedence or DSCP fields of the IP packet, or the CoS field in an Ethernet frame. This assumes that the packet has been already classified by the traffic source or another network device, which might be directly attached to the traffic source. The traffic classification is written to the fields in the IP packet or Ethernet frame that are reserved for this information.
Common Application Protocols and Ports
Table A-1
Application E-mail (SMTP traffic) WWW (HTTP) Secure HTTP (HTTPS) Telnet Domain Name System
After being classified, the traffic can be processed by QoS mechanisms, such as policing, queuing, and so forth, that work with classified packets. Although traffic can be classified in any way necessary, some common traffic classes include the following:
Voice traffic Video traffic Signaling trafficTraffic used to manage network connections, such as those required to set up IP phone calls, or video and teleconferencing sessions Routing and internetworking trafficTraffic between network devices used for communication among the network devices Critical business applications Best effort trafficTraffic, such as casual Internet browsing, that is not provided any QoS guarantee, so the traffic is most susceptible to packet loss, delay, and jitter in a congested network
A-2
Appendix A
Traffic Marking
After a packet is classified as belonging to a traffic class, such as voice or best effort, the packet can be marked to indicate the traffic classification (see Figure A-1).
Figure A-1 Traffic Marking in Ethernet Frames and IP Packets
Data
FCS
Priority
CFI
VLAN ID
802.1Q/p Header
0
213076
IP Precedence
Note
There are cases in which the traffic marking is local to the network device classifying the traffic, but the marking is not placed in the packet itself. Marking the packet or frame occurs by modifying the IP Precedence or DSCP in the IP header and the CoS bits in an 802.1q Ethernet frame. The packet or frame should be marked as close to the traffic source as possible. For example, if you have an IP phone, it is best for the IP phone to mark the IP precedence or DSCP of all the packets it generates. Marking at the source distributes the work across many sources rather than relying on a few network devices. It also simplifies traffic classification because classifying a packet farther from the source requires more complex and inefficient packet inspection, such as inspecting the Layer 4 protocol, port, source IP address, or in some cases, application-specific information.
Note
One of the important device selection criteria for devices such as IP phones, video surveillance cameras, network storage servers (NSS) and so forth, is their traffic-marking capability.
A-3
Quality of Service
Traffic Policing
Traffic policing, also known as rate limiting, measures traffic rate for a traffic class and drops traffic that exceeds a specified rate. For example, policing can ensure that voice traffic coming into a switch or router through a specific port or interface does not exceed 300 kbps. Policing does not buffer traffic that exceeds the policing rate; it simply drops any excess traffic. However, some devices can mark the excess traffic as best effort, which means there is no QoS guarantee. Although the policing device may drop packets, it does not delay any packet that it does transmit. This makes policing a suitable mechanism for enforcing a maximum rate for delay-sensitive traffic, such as voice. However, actually dropping voice traffic is detrimental to voice quality. Policing is used with voice traffic only to enforce a traffic limit that is normally not expected to be exceeded. Traffic shaping, which is described in the following section, has different characteristics.
Traffic Shaping
Like traffic policing, traffic shaping imposes a maximum bandwidth on a traffic class. However, instead of dropping the excess traffic, it stores the excess traffic in a queue (see Figure A-2). Incoming packets are placed in the queue and packets from the head of the queue are taken out and transmitted at the shaped rate.
Figure A-2 Traffic Policing vs. Traffic Shaping
Policing Policing
Traffic Volume
Traffic Rate
Traffic Volume
Time
Time
Traffic Volume
Traffic Rate
Shaping
Traffic Volume
Traffic Rate Traffic is buffered and Smoothed Potentially results in increased latency
Time
Time
With traffic shaping, as long as there is no traffic congestion, the queue remains empty, and incoming packets are immediately transmitted. However, when the incoming traffic rate exceeds the shaped rate, a queue is formed. If the queue becomes full, excess packets are dropped.
A-4
213077
Appendix A
If the incoming traffic rate decreases before the queue is full, then the packets from the queue are removed from the queue and transmitted. This type of buffering smooths out the traffic, as shown in Figure A-2. Although this is beneficial in many cases, the packets that are buffered are delayed. Therefore, shaping may delay packets during congestion, and that makes it unsuitable for certain delay-sensitive traffic, such as voice traffic. The general recommendation is to avoid shaping delay-sensitive traffic, such as voice. For rate limiting voice traffic, policing is generally recommended. However, rate limiting through shaping provides better throughput than policing for traffic from applications that are not delay sensitive.
Queuing
If a network interface is uncongested, then packets are transmitted in strict First-In-First-Out (FIFO) order. However, if a network device, such as a router or switch, receives packets faster than they can be transmitted on any interface or port, the excess packets may be placed in a queue (see Figure A-3). Packets from the head of the queue are transmitted first. Packets that the network device wants to transmit through the interface are added to the tail of the queue. If there is no traffic congestion, the queue remains empty. As congestion increases, the queue size grows. There is a finite limit to the queue size. If there is sustained congestion, the queue fills up and excess packets are dropped. This description applies to a single queue associated with an interface. Often, there are multiple queues for an interface, one per traffic class as shown in Figure A-3. A queuing scheduler is an algorithm that identifies the packet from each queue to transmit next and it can consider the traffic class. Traffic of a higher priority class can be given higher transmission priority, or can be assigned a minimum assured bandwidth during congestion.
Figure A-3 Queuing Process
Forwarded Packets
Traffic Class 1?
Queue 1
Queuing Scheduler
Traffic Class 2?
Queue 2
Interface
Default Class?
Default Queue
Different queuing policies may be configured to determine the order in which packets should be transmitted from each queue:
Weighted Round Robin (WRR)Each traffic class can be assigned a minimum bandwidth guarantee during congestion. Any unused bandwidth for a specific traffic class can be shared with other classes. An example of WRR is class-based weighted fair queuing. Shaped Round Robin (SRR)Each traffic class can be assigned a reserved bandwidth guarantee that no other traffic class can use. Any unused bandwidth assigned to a traffic class is lost.
213078
A-5
Quality of Service
Priority queuing (PQ)One queue is assigned the highest priority by the queuing scheduler. Every packet in this queue is transmitted before any packet in any other queue. WRR scheduling can be applied after the priority queue is empty. An example of such priority queuing is Low Latency Queuing (LLQ), sometimes called PQ/CBWFQ. Priority queuing ensures that the traffic class to which it is applied has minimum delay. Priority queuing is recommended for delay-sensitive traffic, such as voice.
QoS in a Switch
QoS in a switch is implemented by hardware. Typically, a fixed number of hardware queues (two to four) are provided on the QoS-enabled switches used in small business networks. Each switch port has its own set of hardware queues. If there are more traffic classes than there are hardware queues, then multiple traffic classes are assigned to the same queue. The QoS switch features include the following:
WRR queuing with hardware queues SRR queuing with hardware queues Priority queuing is necessary in a switch to support applications, such as voice Policing, if traffic is to be rate limited Marking incoming traffic If multiple traffic classes are placed in the same queue because the number of queues is less than the traffic classes used, some facility is required to drop traffic of one class before dropping traffic of other classes in the queue.
802.1q trunking, with the ability to mark CoS based on IP precedence/DSCP and vice versa
Not every switch provides all the required functionality. Switches with good QoS features are recommended, particularly if applications such as voice or video are deployed at any time.
A-6
Appendix A
Table A-2
IP Precedence 5
Minimum Bandwidth Guarantee (in percent of interface bandwidth) 33 to 50% 5 to10% 5 to10%
Best effort
CS0
CBWFQ
Note
Additional classes for other applications can be added as needed. The QoS policy is applied on any interface on the router that has potential for traffic congestion.
Advanced QoS
This section describes some advanced QoS features and includes the following sections:
Hierarchical Queuing, page A-7 Weighted Random Early Detection, page A-7
Hierarchical Queuing
Hierarchical Queuing is essential if the service provider contract allows a WAN bandwidth that is less than the bandwidth of the WAN interface. For example, if the contract is for 6 Mbps of traffic over a Fast Ethernet WAN link (which can forward at the rate of 100 Mbps), the service provider is likely to drop traffic it receives over the 6 Mbps contractual rate. This can drop voice and video packets. Therefore, instead of sending traffic at full line rate to the service provider, it is better to shape the traffic through the WAN interface to 6 Mbps (the contractual rate). Different traffic classes should get the appropriate bandwidth using the queuing mechanism, calculated based on the contractual bandwidth. This type of queuing within shaped output is known as hierarchical queuing.
A-7
Quality of Service
WRED alleviates this issue. Drop probability can be applied to traffic of different classes. The probability of being dropped is based on the relative importance of the traffic. WRED is recommended on an interface, such as the WAN interface, that transports a large number of TCP sessions.
A-8
A P P E N D I X
Network Security
This appendix describes network security, which is critical to protect a business and its resources from various threats, such as viruses, worms, and denial-of-service (DoS) attacks. This appendix includes the following sections:
Infrastructure Protection, page B-1 Firewall Policy Enforcement, page B-2 Enhanced Stateful Packet Inspection, page B-5 Allowing Specific Traffic Types through the Firewall, page B-6 Mitigating DoS Attacks, page B-7
When a comprehensive security strategy is implemented, protective measures can be implemented to identify, prevent, and effectively mitigate security threats. This section introduces the general areas of network security including infrastructure protection and firewall policy enforcement. Virtual private networks are described in Appendix C, Virtual Private Network (VPN) for Secure Connectivity..
Infrastructure Protection
Network infrastructure components, such as routers, switches, and network servers, are often targets of attacks that can affect business operations. Security tools and best practices help protect each network component and the infrastructure as a whole and help ensure network availability. The following are general recommendations for protecting the network infrastructure components.
To prevent unauthorized persons from accessing network devices, administrative access can be controlled by allowing only secure access using the local console, Telnet, HTTPS, or SSH, and by limiting the number of administrators. In addition, administrative access can be limited to specific interfaces or IP subnets, wherever practical. Administrator passwords as well as other passwords on the device, such as VPN user passwords, must be encrypted. Strong passwords should be used with at least six characters and a mix of letters, digits, and special characters. If supported by the router, it is helpful to limit the administrative login rate and number of log-in retries to help prevent unauthorized access to the router.
B-1
Network Security
Unless actually required in a deployment, disable the following services, which can potentially pose security threats if they are enabled on the router:
IP source routing IP BOOTP server CDP Directed broadcast finger TCP Small Server UDP Small server IP redirect IP proxy ARP IP Gratuitous ARP IP unreachables MOP service PAD service SNMP Traffic to or from the public Internet with private destination IP addresses. Traffic to from the LAN to the router without the correct source address (for example, a public Internet address). Traffic that does not arrive on the expected interface, per the routing table. This prevents attackers using the wrong IP addresses from accessing the network. Enable Unicast Reverse Path Forwarding (uRPF), which performs this check, or any equivalent router feature that is available.
Log errors and eventsThe network device must log errors, and the identity of persons accessing the device, and other events, so that security threats are easier to detect.
B-2
Appendix B
LAN interface, WAN interface, and DMZ interface with default rules. However, all these different implementations have either built-in traffic permission rules between zones, or allow an administrator to create or edit zones and their rules.
Figure B-1 Typical Firewall Security Zones
Internet
Outside zone WAN interface
Internet
Outside zone WAN interface
DMZ zone
Figure B-1 shows three firewall security zones in a router. The first two zones, at least, are required by the simplest firewall policy:
Inside zonePCs, laptops, and other end-user devices such as printers, scanners, and network storage servers that are connected to the LAN are placed in the inside zone. Outside zoneThe WAN interface is placed in the outside zone. DMZServers accessed from the public Internet are placed in the DMZ.
The rules for the inside and outside zones are defined so that employees can access the public Internet, but someone from the public Internet cannot access PCs or other LAN devices and resources. If servers are accessed from the public Internet, such as web servers or e-mail servers, an additional zone, called the Demilitarized Zone (DMZ) is required. This zone allows you to apply firewall rules that help prevent the servers from being used to stage a security attack on the inside zone. This potential exists because these servers can be accessed from the public Internet. After defining the required security zones, there are typically three types of firewall policies that can be applied to traffic passing between two different zones, such as the inside and outside zone in the current example:
PASSAllow all traffic, or allow selected traffic between the two zones. DROPDrop all traffic, or drop selected traffic between the two zones. InspectAllow members of one zone to initiate sessions of selected traffic to the other zone, and also allow return traffic. This is also known as stateful packet inspection. A session is essentially a single TCP or UDP connection using a specific application port, or an ICMP (ping) packet and the response.
Traffic can be selected using access control lists applied to the router interfaces, or by any other means supported by a specific router.
213079
Basic Firewall
B-3
Network Security
To Inside Zone From inside zone From outside zone Allow Drop
A router, particularly one that is intended for use in small networks, may have specific ports marked as WAN port, LAN port and provide these firewall policies, by default. The administrator simply selects the traffic to be passed, dropped, or inspected.
To Inside Zone From inside zone From outside zone From DMZ zone Allow Drop Drop
A router, particularly one intended for small networks, may have specific ports marked as WAN port, LAN port, and DMZ port, and provides these firewall policies by default with options to edit the policies and select the traffic allowed between the zones. This type of firewall minimizes the configuration required to implement a simple firewall policy.
B-4
Appendix B
Local-services zoneSome deployments may implement more granular zones to differentiate between different types of servers, such as those accessed from the public Internet (DMZ zone), and those accessed only by the employees (possibly over a VPN). Such servers include RADIUS servers, local DNS servers, and servers that control voice calls. These servers are placed in the Local-services zone. The inside zone can initiate traffic to this zone. This zone cannot initiate traffic to any other zone, except possibly the self zone, as required. VPN zoneVPN connections may be placed in a separate zone to differentiate firewall policies between local users and users connected through a VPN. This is useful to restrict VPN users from accessing some services when connected through a VPN. When such restriction is not necessary, the VPN users can be placed in the inside-zone instead. Self zoneThe self zone is the router itself, controlling traffic intended for the router. For example, a remote location may establish an IPSec VPN session with the router, an administrator may access the router using Telnet, HTTPS, or SSH, or a PC/laptop may obtain an IP address through DHCP from the WAN router. Access to this zone is typically restricted using access control lists or other mechanisms.
H.323 sessions from NetMeeting Applications using the Real-time Session Protocol (RTSP), including:
In all these cases, the firewall automatically detects additional sessions as they are created and allows the traffic from the sessions through the firewall. The firewall allows the administrator to specify the applications that should be allowed.
B-5
Network Security
A firewall can also intelligently examine data exchanges to detect potential application-specific threats. A firewall may examine the data exchange in a session to determine the potential for a specific threat and take suitable action as necessary, including breaking the connection. For example, HTTP inspection offers Java Applet filtering to block malicious content in HTTP traffic. When malicious content is found, the packets are dropped. Firewalls may also examine traffic of many other protocols such as those used for e-mail (SMTP, ESMTP, POP3, or IMAP), or by IP telephony applications (SIP and SCCP) to detect and prevent unwanted traffic.
Note
The level of security provided by a firewall depends on the protocols it can analyze. This is an important consideration when choosing a firewall device.
Firewall Is Configured to Allow Traffic Destined to VPN Protocol IPSecISAKMP IPSecESP IPSecNAT-T SSL VPN IP Address IPSec VPN gateway (WAN router) IPSec VPN gateway (WAN router) IPSec VPN gateway (WAN router) SSL VPN gateway (WAN router) Protocol UDP IP UDP TCP/UDP Layer 4 Port 500 50 4500 443
B-6
Appendix B
Table B-4
Firewall is configured to allow traffic destined to Application E-mail server WWW server DNS server IP address Web server IP address DNS server IP address Layer 4 Protocol TCP TCP/UDP Layer 4 Port 25 80 53 E-mail server IP address TCP
Restricting the number of possible half-open sessions to a limit beyond which older half-open sessions are terminated Controlling the maximum time a half-open session can be alive Limiting the maximum rate of session requests
Many low-cost firewalls have these limits hard-coded and are non-configurable. It is recommended to select a router that offers the flexibility of changing these limits based on deployment requirements.
B-7
Network Security
B-8
A P P E N D I X
Overview, page C-1 Basic Cryptographic Procedures, page C-2 IPSec Technology, page C-4 Virtual Private Network for Small Businesses, page C-7
Overview
VPN technology is useful for any small business that has multiple locations that exchange information over the public Internet, or that has home offices or mobile workers who connect to the main office over the Internet. Securing data over a public network is a complex issue because the data may be intercepted by unauthorized devices, or it may get modified in transit. The security of data transmitted over a network involves three aspects:
Data confidentialityKeeping data secret from all but the intended destination. Data confidentiality is achieved by encrypting the data. Data integrityEnsuring that any modification of data is easily detected. Various hash techniques are used for maintaining data integrity. AuthenticityEstablishing proof of the identity of the receiver and sender, which prevents impersonation. Authentication ensures that the authorized source or destination device is sending or receiving the data. This is usually achieved by passwords or certificates.
The following section explains the basic cryptographic procedures for achieving data confidentiality, data integrity, and authentication that are provided by VPN technology. The subsequent two sections describe the most popular VPN technologies: IPSec and SSL VPN.
C-1
Preshared Key, page C-2 RSA, page C-2 Cryptographic Hash Function, page C-2 Hash-Based Message Authentication Code, page C-3 X.509 Digital Certificate, page C-3 Diffie-Hellman Key Exchange, page C-3 Encryption, page C-4
Preshared Key
When using preshared (secret) keys, a string of letters, digits, and special characters is known only to source and destination. The preshared key can be used for a variety of purposes, such as an encryption key for data confidentiality, or to authenticate a network device. The weakness of preshared keys is the difficulty of securely sharing the key, and the related difficulty of keeping the key secret.
RSA
RSA is a public-key cryptographic algorithm that can be used to create a public key and a private key. The public key can be known to everyone and can be used for encrypting messages. Messages encrypted with the public key can be decrypted only using the private key. Typically a public key is publicly known, but the private key is kept secret. Anyone knowing your public key can encrypt a message that only you can decrypt with the secret private key. The main weakness of RSA is that it is significantly slower to compute compared to popular secret-key algorithms, such as DES or AES.
C-2
Appendix C
Virtual Private Network (VPN) for Secure Connectivity Basic Cryptographic Procedures
Hashing a combination of the message and a secret key known to the destination using either MD-5 or SHA-1 Appending the hash value (message digest) to the message
The destination device produces its own version of the hash value from the message using the secret key it knows. If the calculated hash value matches the received hash value appended to the message, then the message has not been tampered with. This ensures data integrity. If the hash values match, it can be assumed that the secret key on both devices match as well, thus authenticating the sender to the receiver. Therefore HMAC can be used to ensure both message integrity and sender authentication. Depending on the actual hash function used (MD5 or SHA-1), the HMAC procedure is called either HMAC-MD5 or HMAC-SHA-1.
Name of the certificate holder Public key of the certificate holder Certificate expiry date Digital signature of the CA
The private key corresponding to the public key is not made public by the certificate holder. When a digital certificate is available to a network device, it can validate the correct identity of the certificate holder if it trusts the CA (verified by the digital signature of the CA). This is how an X.509 digital certificate provides authentication of a network device. A preshared key is an alternative to a digital certificate for establishing the identify of the sender or receiver. However, because preshared keys must be manually configured for each network device, administrative effort is high in large networks. However, a preshared key is quite suitable for a small business network, because it is simpler to implement and does not involve the cost of renewing a certificate every year.
C-3
This clever mechanism uses mathematical formulas involving a base prime number during the key exchange. D-H key exchange provides options for using different length base prime numbers. For example, DH Group 2 uses a length of 1024 bits, while DH Group 1 uses 768 bits. There are additional groups as well. DH group 2 is more secure than DH group 1, but both networking peers must use the same DH group. The shared key that is established by D-H key exchange can be used to encrypt traffic between the two network devices, but it requires such a high amount of computation that it is not used to encrypt regular traffic between the devices. Instead, the shared key is used to encrypt and transmit a simpler key that is then used to encrypt the traffic. The simpler key that is used to actually encrypt traffic can be based on any one of the following algorithms:
Encryption
Data encryption is used to maintain data confidentiality. The algorithms used for encrypting data are called ciphers. The sender encrypts the data using a secret key and transmits the encrypted data over the network. The receiver decrypts the data using the same secret key. A block cipher specifies the encryption and decryption algorithms to encrypt a fixed-size block of data in to a block of encrypted data of equal size. The decryption algorithm uses the same key to decrypt the encrypted data back to its original form. Three popular block ciphers are given below in the order of the level of security they provide:
Data Encryption Standard (DES)One of the oldest secret key encryption schemes, and offers the least security among the three block ciphers. Triple DESTriple Data Encryption Algorithm (TDEA) encrypts data three times. Advanced Encryption Standard (AES)Provides the option of using any one of three specific block ciphers, AES-128, AES-192 and AES-256. The number denote the key size in bits. AES encrypts and decrypts data in 128-bit block sizes.
It is recommended to use AES encryption whenever available, because it provides the best security among the block ciphers and is computationally more efficient as well.
IPSec Technology
IP Security Protocol (IPSec) is a framework of open standards that provides data confidentiality, data integrity, and data authentication between participating peers (network devices). It is one of the most widely used technologies for establishing VPNs over the Internet. IPSec can be used in transport mode to protect data flow between a pair of hosts, such as pair of PC/laptops, although this is not typical in a small business. Instead, IPSec tunnel mode offers data protection between a pair of security gateways, such as routers, or between a security gateway and a host, and is used in most VPNs. IPSec EncapsulationIPSec provides an option to encapsulate the data packets in one of two ways:
C-4
Appendix C
Encapsulating Security Payload (ESP)Provides data confidentiality and sender authentication. ESP is the most popular encapsulation used in IPSec VPNs, and is the recommended method for small business networks. Authentication Header (AH)Provides authentication only (no data confidentiality). Not typical in VPNs. Further, this does not work with NAT.
IPSec Session between two network devicesThe process of setting up an IPSec session between two network devices can be broadly divided into two steps.
The network devices authenticate each other using pre-shared key or digital certificate. Assuming that the two devices may support different cryptographic capabilities or policies such as encryption algorithms (DES, or AES, and so forth.), the network devices find out a common set of algorithms/procedures that can be used between them to secure data such as the encryption algorithm to use, and D-H group to use to establish the secret key for data encryption. The type of authentication, D-H group, and encryption method that a router can use is configured on the router as an IKE policy. This negotiation using the IKE policy is performed using a protocol known as Internet Key Exchange (IKE) protocol which is a specific form of the Internet Security Association and Key Management Protocol (ISAKMP). This step is said to establish an ISAKMP security association (SA) between the peers.
IPSec Second PhaseThe second phase of IPSec session establishment starts only after the ISAKMP SA is established. The keys and the encryption algorithms are negotiated by the ISAKMP session during the first phase. The next step is to use the negotiated keys and algorithms for actually encrypting and transferring the data. However, before it can be done, the following additional information is required:
The encapsulation format (ESP header or AH header to be used), and the hash method to use for message integrity check and authentication (HMAC-SHA, HMAC-MD5, and so forth.). The method that should be used by a network device is specified in the device by an administrator. This is commonly known as the IPSec Transform. The type of traffic that needs to be encrypted (not all traffic flowing between two peers may need encryption). For example, a WAN router may send traffic to another office location, as well as to the Internet. Although Internet traffic is not encrypted, traffic to the other office location requires encryption. The identity of the other end of the IPSec VPN session (typically its IP address).
The second phase establishes what is known as a pair of IPSec Security Associations (IPSec SAs) between the two peers, one IPSec SA for each direction of traffic flow. After the IPSec SAs are established, data is transferred in a secure way, until the SAs exist. Recommended IPSec attributes for Small Business networkTable C-1 summarizes the typically available and recommended options when configuring IKE and IPSec policies in a router. The user interface to configure these may vary among routers depending on the vendor. Some routers may assume certain default values that are not modifiable (possibly not visible).
C-5
Table C-1
IKE Policy Options DES, 3DES, or AES (AES is recommended). SHA or MD5 Pre-shared keys (strong) or RSA. Pre-shared is recommended for small businesses.
IPSec Policy Options DES, 3DES, or AES (AES is recommended). SHA or MD5 NA
NA
Security association (SA) A suitable value in seconds. lifetime. A new SA is negotiated for use after this time period. A short lifetime is more secure, but may increase VPN gateway workload Encapsulation method NA
NA
Note
Although the recommendations listed in this section are suitable for most deployments, it is important that any partner or customer compare these recommendations to an existing company security policy before implementing them. It is also important to determine whether the routers in the network can support the recommendations. IPSec configuration also needs to take in to consideration the following additional aspectsIPsec NAT TransparencyThe IPsec NAT Transparency (NAT-T) feature allows IP Security (IPsec) traffic to travel through a router that NATs (or PATs) the IP packets (otherwise, NAT may be incompatible with IPSec). In many routers NAT-T is automatically enabled if NAT is detected. Replay detectionThis allows a receiver of data over an IPSec connection to detect and reject old or duplicate packets. Such packets may occur during a replay attack where the attacker sends out older or duplicate packets to the receiving device, hoping that the receiver accepts the traffic as legitimate. Each IPSec packet in an IPSec connection carries a sequence number that is continuously increased by the sender as packets are sent out. A replay attack is detected by the receiver when it finds a break in the sequence number. To help check a break in packet sequence, the router has a buffer, the replay window, to store packet details of several packets. Some routers allow the size of the replay window to be set by the administrator, while the lower end routers assume a fixed value.
C-6
Appendix C
Virtual Private Network (VPN) for Secure Connectivity Virtual Private Network for Small Businesses
IPSec sitre-to-site VPN for secure connection with remote offices IPSec-based remote access VPN for home office or mobile workers SSL VPN for mobile worker
IPSec Remote Access VPN for Home Office and Mobile Workers
When the IP address of the remote location is not known, as in the case of a home office or a mobile worker whose WAN IP address may change, site to site IPSec VPN is not possible. In addition, as the number of home offices and/or mobile workers increase, updating the IPSec configuration of the main office router every time an employee joins, leaves, or moves would have a high impact on network administration. An IPSec remote access VPN is suitable in such cases. IPSec Remote Access VPN replaces the peer authentication with authentication of a group of employees who share the same key. This requires the configuration of a group profile on the hub router. In addition, each user is also individually authenticated via a protocol known as the XAUTH protocol. IPSec remote access VPN can be established between the main office WAN router and the mobile workers laptop or the home office router. The laptop needs to install an IPSec Remote access VPN client software available from the vender. IPSec remote access VPN implementation is non-standard; client of one vender will not work with another venders hub router.
C-7
2. 3. 4. 5. 6. 7.
The web server responds to this by sending its certificate that has its public key. The browser verifies the certificate to ensure the authenticity of the web server The browser encrypts a random encryption key using the web servers public key. It also encrypts the required URL using the encryption key. It then sends both to the web server. The web server, using its private key, decrypts the received encryption key, and uses the key to decrypt the URL and associated data Next web server encrypts the requested html document with the key, and sends it to the browser. The browser can decrypt the html document using the key and displays the information.
In SSL VPN, a SSL VPN gateway device is inserted between the browser and the target web server. The browser forwards all web traffic to the SSL VPN gateway using Secure Socket Layer for data confidentiality. The SSL VPN gateway retrieves the original web request from the received data and appropriately forms and forwards another HTTP request to the real target web server on behalf of the browser. It also forwards the response back to the browser. Thus the SSL VPN gateway acts as a proxy for the actual web servers. The SSL protocol ensures data confidentiality and end point authentication. SSL VPN can only access browser based applications using TCP protocols. However, using client software, SSL VPN can be used to access any TCP and non-TCP application. The configuration of SSL uses many of the basic cryptographic procedures described earlier, and they are not repeated here. Table C-2 provides a comparison between IPSec Remote Access VPN and SSL VPN to help identify the suitability of one over the other depending on deployment needsTable C-2 Comparison of IPSec and SSL VPN Technology
IPSec Remote Access VPN Implementation is not a standard. Vendor-interoperability not typical
SSL VPN
Remark
Standard implementation. However, venders typically Vender inter-operability possible enhance SSL VPN for additional for basic SSL VPN features such as accessing all applications via SSL; in such cases vender interoperability is not guarantied. Works for only TCP applications Non standard SSL VPN implementation allows access to all applications Only supported from an end user laptop/PC (mobile worker) No client is necessary. A browser Non standard SSL VPN can be used to establish SSL implementation that allows VPN session access to all applications requires a client
Works for any IP based applications Can be between a router (home office) and a hub Laptop needs a client
Authentication can be done with Authentication with certificate either pre-shared key or only certificate
C-8
INDEX
Numerics
1000BASE-FX 1000BASE-LX 1000BASE-SX 1000BASE-T 100BASE-T 10BASE-T 802.1x 802.1q trunks
5-9, 7-3 3-4 3-4 3-9 3-4 3-4 3-4 3-4
C-4
Broadcast
broadcast domain
C
CA
C-3 6-3
A
AAA server access layer access mode AES
C-4 5-2 5-2 5-9 5-2 3-8
characters
C-4
2-1
6-3, A-5
collision domain
2-6 1-8
Application servers
connection-oriented
3-10
5-12
2-6
5-2
Autonegotiation
5-5
CSMA/CD
3-5
B
BGP bits
4-2 2-1
D
Data confidentiality Data integrity
C-1 C-1
IN-1
Index
2-5
FQDN
3-12
full-duplex
G
Gigabit Ethernet
5-4
A-1 B-7
GLBP
5-13 4-4
5-11, 7-2
C-3 C-3
H
half-duplex
3-11 5-4 C-2 2-2 A-7
dynamic routing
E
EAP EIGRP
7-3 2-2, 2-6 4-2 2-4 3-4
EBCDIC
I
ICMP
5-18 7-3
5-7 2-5
IGMP snooping
4-2 C-5
F
Fast Ethernet Fiber cable filtering flooding First Phase flow control
3-4, 5-4 3-4
IKE
5-6
3-11 4-4
IP address pools
3-11
IP Precedence
C-4
A-2
3-7
IP telephony
6-1
IN-2
Index
N
name servers NAT
5-13 3-8 5-16 C-6 3-13 4-6
ISAKMP
1-7 4-2 2-3
NAT Transparency
J
jitter
6-2, A-1
3-13 1-8
L
LAN
3-3 3-5 4-2 4-2
4-2
O
one-way hash function OSI
2-3 4-2 C-2
Link aggregation
OSPF
P
3-10
packet
A-6
M
MAC address Main Office Marking MD5
C-2 C-3 1-4 A-3 2-5, 3-4 1-3 5-5
managed switch
2-4 5-18
5-10
multi-port repeater
PQ/CBWFQ
presentation layer
IN-3
Index
SNMP
private IP addresses
2-3
Spam blocking
public IP addresses
3-10
3-14
C-8
star topology
3-6 B-3
Q
QoS
5-6, 5-12, 6-1, A-1 A-5
queuing scheduler
switch port
R
RADIUS
1-8, 5-9 3-10 5-12
Rapid PVST Remote Office replay attack RIP router RSTP RTSP
4-2
T
T1/E1 TCP
1-7 2-5, 3-17 3-1 C-4 7-3 7-3 3-6
3-14
routing protocol
3-10 B-5
topology
3-12
traffic classes
5-6, 6-2
S
SAs
C-5 C-5 C-4
Transform
security gateways
tunnel mode
C-4
session layer
C-2
A-5
U
UDP
2-5, 3-17 3-12
Unicast
Network Primer for Small Businesses
IN-4
Index
3-5 6-3
URL filtering
V
VLANs VPN
3-7
C-1 C-6
W
WAN
1-7 5-9 A-7
WAN router
wireless LAN controller wiring closet switches WLAN WMM WPA WRR
7-1 7-2 7-3 6-3
X
X.509 digital certificate XAUTH
C-7 C-3
IN-5
Index
IN-6